4 History functions
All functions listed here are supported in:
The functions are listed without additional information. Click on the function to see the full details.
| Function | Description |
|---|---|
| change | The amount of difference between the previous and latest value. |
| changecount | The number of changes between adjacent values within the defined evaluation period. |
| count | The number of values within the defined evaluation period. |
| countunique | The number of unique values within the defined evaluation period. |
| find | Find a value match within the defined evaluation period. |
| first | The first (the oldest) value within the defined evaluation period. |
| fuzzytime | Check how much the passive agent time differs from the Zabbix server/proxy time. |
| last | The most recent value. |
| logeventid | Check if the event ID of the last log entry matches a regular expression. |
| logseverity | The log severity of the last log entry. |
| logsource | Check if log source of the last log entry matches a regular expression. |
| monodec | Check if there has been a monotonous decrease in values. |
| monoinc | Check if there has been a monotonous increase in values. |
| nodata | Check for no data received. |
| percentile | The P-th percentile of a period, where P (percentage) is specified by the third parameter. |
| rate | The per-second average rate of the increase in a monotonically increasing counter within the defined time period. |
Common parameters
/host/keyis a common mandatory first parameter for the functions referencing the host item history(sec|#num)<:time shift>is a common second parameter for the functions referencing the host item history, where:- sec - maximum evaluation period in seconds (time suffixes can be used), or
- #num - maximum evaluation range in latest collected values (if preceded by a hash mark)
- time shift (optional) allows to move the evaluation point back in time. See more details on specifying time shift.
Function details
Some general notes on function parameters:
- Function parameters are separated by a comma
- Optional function parameters (or parameter parts) are indicated by
<> - Function-specific parameters are described with each function
/host/keyand(sec|#num)<:time shift>parameters must never be quoted
change(/host/key)
The amount of difference between the previous and latest value.
Supported value types: Float, Integer, String, Text, Log.
For strings returns: 0 - values are equal; 1 - values differ.
Parameters: see common parameters.
Comments:
- Numeric difference will be calculated, as seen with these incoming example values ('previous' and 'latest' value = difference):
'1' and '5' =+4
'3' and '1' =-2
'0' and '-2.5' =-2.5. - See also: abs for comparison.
Examples:
change(/host/system.uptime)<0 #system uptime change has been negative since the last value (indicating a reboot)
change(/host/system.cpu.load[all,avg1])>2 #CPU load (for one minute) has jumped by more than 2 since the last value
change(/host/vfs.fs.size[/,free])<-1G #free disk space has dropped by more than 1 GB between checkschangecount(/host/key,(sec|#num)<:time shift>,<mode>)
The number of changes between adjacent values within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
- See common parameters
- mode (must be double-quoted) - possible values: all - count all changes (default); dec - count decreases; inc - count increases
For non-numeric value types, the mode parameter is ignored.
Examples:
changecount(/host/icmpping,10m)>5 #ping status has changed more than 5 times in 10 minutes
changecount(/host/vfs.file.contents["/sys/class/net/eth0/operstate"],1h)>5 #operational state of eth0 has changed more than 5 times in an hour
changecount(/host/proc.num[httpd],15m)>10 #the number of httpd processes has changed more than 10 times in 15 minutes
changecount(/host/key,#10,"inc") #the number of value increases (relative to the adjacent value) among the last 10 values
changecount(/host/key,24h,"dec") #the number of value decreases (relative to the adjacent value) for the last 24 hours until nowcount(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)
The number of values within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
- See common parameters
- operator (must be double-quoted) Supported
operators:
eq - equal (default for integer, float)
ne - not equal
gt - greater
ge - greater or equal
lt - less
le - less or equal
like (default for string, text, log) - matches if contains pattern (case-sensitive)
bitand - bitwise AND
regexp - case-sensitive match of the regular expression given inpattern
iregexp - case-insensitive match of the regular expression given inpattern - pattern - the required pattern (string arguments must be double-quoted)
Comments:
- Float items match with the precision of 2.22e-16.
- like is not supported as operator for integer values.
- like and bitand are not supported as operators for float values.
- For string, text, and log values only eq, ne, like, regexp and iregexp operators are supported.
- With bitand as operator, the fourth
patternparameter can be specified as two numbers, separated by '/': number_to_compare_with/mask. count() calculates "bitwise AND" from the value and the mask and compares the result to number_to_compare_with. If the result of "bitwise AND" is equal to number_to_compare_with, the value is counted.
If number_to_compare_with and mask are equal, only the mask need be specified (without '/'). - With regexp or iregexp as operator, the fourth
patternparameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after '.'. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.
Examples:
count(/host/icmpping,30m,,"0")>5 #ping has failed more than 5 times in 30 minutes
count(/host/key,10m,"like","error") #the number of values for the last 10 minutes until now that contain 'error'
count(/host/key,10m,,12) #the number of values for the last 10 minutes until now that equal '12'
count(/host/key,10m,"gt",12) #the number of values for the last 10 minutes until now that are over '12'
count(/host/key,#10,"gt",12) #the number of values within the last 10 values until now that are over '12'
count(/host/key,10m:now-1d,"gt",12) #the number of values between 24 hours and 10 minutes and 24 hours ago from now that were over '12'
count(/host/key,10m,"bitand","6/7") #the number of values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits
count(/host/key,10m:now-1d) #the number of values between 24 hours and 10 minutes and 24 hours ago from nowcountunique(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)
The number of unique values within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
- See common parameters
- operator (must be double-quoted). Supported
operators:
eq - equal (default for integer, float)
ne - not equal
gt - greater
ge - greater or equal
lt - less
le - less or equal
like (default for string, text, log) - matches if contains pattern (case-sensitive)
bitand - bitwise AND
regexp - case-sensitive match of the regular expression given inpattern
iregexp - case-insensitive match of the regular expression given inpattern - pattern - the required pattern (string arguments must be double-quoted)
Comments:
- Float items match with the precision of 2.22e-16.
- like is not supported as operator for integer values.
- like and bitand are not supported as operators for float values.
- For string, text, and log values only eq, ne, like, regexp and iregexp operators are supported.
- With bitand as operator, the fourth
patternparameter can be specified as two numbers, separated by '/': number_to_compare_with/mask. countunique() calculates "bitwise AND" from the value and the mask and compares the result to number_to_compare_with. If the result of "bitwise AND" is equal to number_to_compare_with, the value is counted.
If number_to_compare_with and mask are equal, only the mask need be specified (without '/'). - With regexp or iregexp as operator, the fourth
patternparameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after '.'. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.
Examples:
countunique(/host/key,10m) #the number of unique values for the last 10 minutes until now
countunique(/host/key,10m,"like","error") #the number of unique values for the last 10 minutes until now that contain 'error'
countunique(/host/key,10m,,12) #the number of unique values for the last 10 minutes until now that equal '12'
countunique(/host/key,10m,"gt",12) #the number of unique values for the last 10 minutes until now that are over '12'
countunique(/host/key,#10,"gt",12) #the number of unique values within the last 10 values until now that are over '12'
countunique(/host/key,10m:now-1d,"gt",12) #the number of unique values between 24 hours and 10 minutes and 24 hours ago from now that were over '12'
countunique(/host/key,10m,"bitand","6/7") #the number of unique values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits
countunique(/host/key,10m:now-1d) #the number of unique values between 24 hours and 10 minutes and 24 hours ago from nowfind(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)
Find a value match within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Returns: 1 - found; 0 - otherwise.
Parameters:
- See common parameters
- sec or #num (optional) - defaults to the latest value if not specified
- operator (must be double-quoted) Supported
operators:
eq - equal (default for integer, float)
ne - not equal
gt - greater
ge - greater or equal
lt - less
le - less or equal
like (default for string, text, log) - matches if contains the string given inpattern(case-sensitive)
bitand - bitwise AND
regexp - case-sensitive match of the regular expression given inpattern
iregexp - case-insensitive match of the regular expression given inpattern - pattern - the required pattern (string arguments must be double-quoted); Perl Compatible Regular Expression (PCRE) regular expression if
operatoris regexp, iregexp
Comments:
- If more than one value is processed, '1' is returned if there is at least one matching value.
- like is not supported as operator for integer values.
- like and bitand are not supported as operators for float values.
- For string, text, and log values only eq, ne, like, regexp and iregexp operators are supported.
- With regexp or iregexp as operator, the fourth
patternparameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from the global regular expression settings.
Examples:
find(/host/key,10m,"like","error") #find a value that contains 'error' within the last 10 minutes until now
find(/host/agent.version,,"like","beta")=1 #Zabbix agent has beta version, must be upgraded
find(/host/log[/var/log/nginx/access.log],,"regexp"," 500 ")=1 #internal web server error has been foundfirst(/host/key,sec<:time shift>)
The first (the oldest) value within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
See also last().
Example:
fuzzytime(/host/key,sec)
Check how much the passive agent time differs from the Zabbix server/proxy time.
Supported value types: Float, Integer.
Returns: 1 - difference between the passive item value (as timestamp) and Zabbix server/proxy timestamp (the clock of value collection) is less than or equal to sec seconds; 0 - otherwise.
Parameters:
- See common parameters.
Comments:
- Usually used with the 'system.localtime' item to check that local time is in sync with the local time of Zabbix server. Note that 'system.localtime' must be configured as a passive check for Zabbix agent; on Zabbix agent 2 it may be configured as an active check.
- Can be used also with the
vfs.file.time[/path/file,modify]key to check that the file did not get updates for long time. - This function is not recommended for use in complex trigger expressions (with multiple items involved), because it may cause unexpected results (time difference will be measured with the most recent metric), e.g. in
fuzzytime(/Host/system.localtime,60s)=0 or last(/Host/trap)<>0.
Examples:
fuzzytime(/host/system.localtime,5m)=0 #client local time differs from Zabbix server/proxy time by more than 5 minutes
fuzzytime(/host/system.localtime,5m)=0 and nodata(/host/system.localtime,10m)=0 #client local time differs from Zabbix server/proxy time by more than 5 minutes (while making sure the item has not stopped reporting data)last(/host/key,<#num<:time shift>>)
The most recent value.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
- See common parameters
- #num (optional) - the Nth most recent value
Comments:
- Take note that a hash-tagged time period (#N) works differently here than with many other functions. For example:
last(/host/key)is always equal tolast(/host/key,#1);last(/host/key,#3)- the third most recent value (not three latest values). - Zabbix does not guarantee the exact order of values if more than two values exist within one second in history.
- See also first().
Examples:
last(/host/key) #retrieve the last value
last(/host/key,#2) #retrieve the previous value
last(/host/key,#1) <> last(/host/key,#2) #the last and previous values differlogeventid(/host/key,<#num<:time shift>>,<pattern>)
Check if the event ID of the last log entry matches a regular expression.
Supported value types: Log.
Returns: 0 - does not match; 1 - matches.
Parameters:
- See common parameters
- #num (optional) - the Nth most recent value
- pattern (optional) - the regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style (string arguments must be double-quoted)
Examples:
logeventid(/host/eventlog[Security],,"4625")=1 #a log entry with ID matching "4625" (failed authentication) found
logeventid(/host/eventlog[System],,"6008|41")=1 #a log entry with ID matching "6008" or "41" foundlogseverity(/host/key,<#num<:time shift>>)
Log severity of the last log entry.
Supported value types: Log.
Returns: 0 - default severity; N - severity (integer, useful for Windows event logs: 1 - Information, 2 - Warning, 4 - Error, 7 - Failure Audit, 8 - Success Audit, 9 - Critical, 10 - Verbose).
Parameters:
- See common parameters
- #num (optional) - the Nth most recent value
Zabbix takes log severity from the Information field of Windows event log.
Examples:
logseverity(/host/log[/var/log/syslog],10m)>3 #a log entry with severity above "3" found
logseverity(/host/eventlog[System],10m)=4 #a log entry with severity equaling "Error" foundlogsource(/host/key,<#num<:time shift>>,<pattern>)
Check if log source of the last log entry matches a regular expression.
Supported value types: Log.
Returns: 0 - does not match; 1 - matches.
Parameters:
- See common parameters
- #num (optional) - the Nth most recent value
- pattern (optional) - the regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style (string arguments must be double-quoted)
Normally used for Windows event logs.
Examples:
logsource(/host/eventlog[Application],,"MSSQLSERVER")=1 #a log entry with source matching "MSSQLSERVER" found
logsource(/host/eventlog[System],,"Service Control Manager")=1 #a log entry with source matching "Service Control Manager" found
logsource(/host/eventlog[System],,"Service Control Manager")=1 and logeventid(/host/eventlog[System],,"7031")=1 #a log entry with source matching "Service Control Manager" and event ID matching "7031" foundmonodec(/host/key,(sec|#num)<:time shift>,<mode>)
Check if there has been a monotonous decrease in values.
Supported value types: Integer.
Returns: 1 - if all elements in the time period continuously decrease; 0 - otherwise.
Parameters:
- See common parameters
- mode (must be double-quoted) - weak (every value is smaller or the same as the previous one; default) or strict (every value has decreased)
Examples:
monodec(/host/system.swap.size[all,free],60s) + monodec(/host2/system.swap.size[all,free],60s) + monodec(/host3/system.swap.size[all,free],60s) #calculate in how many hosts there has been a decrease in free swap size
monodec(/host/proc.num[nginx],10m,"strict")=1 #the number of nginx processes has monotonously decreased over 10 minutesmonoinc(/host/key,(sec|#num)<:time shift>,<mode>)
Check if there has been a monotonous increase in values.
Supported value types: Integer.
Returns: 1 - if all elements in the time period continuously increase; 0 - otherwise.
Parameters:
- See common parameters
- mode (must be double-quoted) - weak (every value is bigger or the same as the previous one; default) or strict (every value has increased)
Examples:
monoinc(/host/system.localtime,#3,"strict")=0 #the system local time has not been increasing consistently
monoinc(/host/vfs.dir.count[/mnt/data/logs],24h,"weak")=0 #trigger if the file count has stagnated over 24 hours (expected to grow)nodata(/host/key,sec,<mode>)
Check for no data received.
Supported value types: Integer, Float, Character, Text, Log.
Returns: 1 - if no data received during the defined period of time; 0 - otherwise.
Parameters:
- See common parameters
- sec - the period should not be less than 30 seconds because the history syncer process calculates this function only every 30 seconds;
nodata(/host/key,0)is disallowed - mode - if set to strict (double-quoted), this function will be insensitive to proxy availability (see comments for details)
Comments:
- the 'nodata' triggers monitored by proxy are, by default, sensitive to proxy availability - if proxy becomes unavailable, the 'nodata' triggers will not fire immediately after a restored connection, but will skip the data for the delayed period. Note that for passive proxies suppression is activated if connection is restored more than 15 seconds and no less than 2 seconds later. For active proxies suppression is activated if connection is restored more than 15 seconds later. To turn off sensitiveness to proxy availability, use the third parameter, e.g.:
nodata(/host/key,5m,"strict"); in this case the function will fire as soon as the evaluation period (five minutes) without data has past. - This function will display an error if, within the period of the 1st parameter:
- there's no data and Zabbix server was restarted
- there's no data and maintenance was completed
- there's no data and the item was added or re-enabled. - Errors are displayed in the Info column in trigger configuration.
- This function may not work properly if there are time differences between Zabbix server, proxy and agent. See also: Time synchronization requirement.
Example:
percentile(/host/key,(sec|#num)<:time shift>,percentage)
The P-th percentile of a period, where P (percentage) is specified by the third parameter.
Supported value types: Float, Integer.
Parameters:
- See common parameters
- percentage - a floating-point number between 0 and 100 (inclusive) with up to 4 digits after the decimal point
Examples:
percentile(/host/net.if.in[eth0,bytes],1h,95)>1000000 #95th percentile network input (bytes/sec) over 1 hour has gone beyond a threshold (e.g., 1 MB/s)
percentile(/host/system.cpu.util,5m,95)>80 #95th percentile of CPU utilization user-time percentage has gone above 80
percentile(/host/icmppingsec[192.168.0.2],15m,95)>0.15 #most latency measurements are below 150 ms but the higher-end tail (top 5%) implies regular lag
percentile(/host/net.if.in[eth0,bytes],1h,50) #calculate the 50th percentile (the median value) of incoming network traffic for an hour; this yields a different result from avg() (the average), as percentile does not consider outlier values
(percentile(/host/net.if.in[eth0,bytes],1h,50)+percentile(/host/net.if.in[eth0,bytes],1h,51))/2 #calculate precise median value with an even number of values for an hourrate(/host/key,sec<:time shift>)
The per-second average rate of the increase in a monotonically increasing counter within the defined time period.
Supported value types: Float, Integer.
Parameters:
Functionally corresponds to 'rate' of PromQL.
Examples:
rate(/host/key,30s) #if the monotonic increase over 30 seconds is 20, this function returns 0.67.
rate(/host/net.if.in[eth0,bytes],5m)>500000 #the incoming interface traffic rate on eth0 has exceeded 500 KB/s over the past 5 minutes
rate(/host/app.requests.count,1m)>100 #the request count counter has risen at >100 requests per second in the last minute