Hi Ayn,

Appericiate, if you give me an example.

Even, I tried this one
[filter:blacklist:file.txt]
regex1 = .*txt
[fschange:/etc]
filters = file.txt

[monitor:///etc]
blacklist = (xyzfile)

didnt worked, If i do any changes it is detected by Splunk, However, I have blacklisted that file.

Pls. help...

Your syntax for fschange blacklisting is still wrong.

[fschange:/]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = .(txt)$

[monitor:///etc]
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
_blacklist = .(txt)$
index=os
disabled = 0

I have blacklist .txt files from monitoring, but if I do any modification in File it still shows under file modify Tab.

What will be the syntax if I dont want to monitor /root/folder
below is just an example, assume, I dont want to monitor particular folder under /root

[monitor:///root]
blacklist = .(foldername)$

Will this work ?

You got the syntax wrong. Read the DOCS: http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Monitorchangestoyourfilesystem#Define_a_filte...
http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Inputsconf

[fschange:/root]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = . (tempfile) $

Actually, monitoring /root, under I have one tempfile which I dont want to monitored. But when I do changes its captured by Splunk, not sure where went wrong pasted entry above.

Pls. help.

catch_mili, generally reading the docs is a good idea.