File Trigger Events are being intermittently missed or not processed

Document ID : KB000097100
Last Modified Date : 18/06/2018
Show Technical Document Details
Issue:
A File Trigger is configured using a wildcard or regular expression in the file name attribute.
Multiple files arrive at the location that match the file name, based on the RegEx/wildcard, at the same time or very nearly the same time.
Only 1 File Trigger Event is processed, despite there being multiple files that meet the file trigger criteria.
Cause:
The log file monitor, filemon (on the Linux Agent) can only monitor one file at a time and this is determined by the regular expression (wildcard) that matches part of the log file name and the file with the most current modified date. So if you have a log file monitor with a regex that matches more than one file in a folder, and those log files are all being written to, the monitor is going to keep attaching to the most current log file and that is when events will be missed. 
Resolution:
For all intents and purposes rotating log file monitoring works fine as long as there is a 1:1 relationship between the monitor and the log file. If there are multiple log file names that match the same RegEx name then they should be broken out into different folders and there should be 1 File Trigger defined for each of the locations.