I would like monitor all the files below except the first one
Because sample.log from environment a1 conusming more data and is not required to index
How to blacklist only this file from one environment?
How to achieve blacklist for folder level
/logs/sample/enva1/logs/sample.log
/logs/sample/enva2/logs/sample.log
/logs/sample/enva3/logs/sample.log
/logs/sample/enva4/logs/sample.log
/logs/sample/enva2/logs/purple.log
/logs/sample/enva4/logs/purple.log
As one of the options you can define Blacklist in your inputs.conf for the monitor data input you currently have.
[monitor://<YourFolderStructure>\enva*\logs\*]
blacklist = <YourFolderStructure>\enva1\logs\*
For information on Blacklisting refer to following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Bl...
@splunkn were you able to try the blacklist solution?