logeventid trigger function only gets the value from last log entry. So it's not possible to have a trigger function, that checks logeventid of last and previous entry. This is sad, you can search, if there is a request for such functionality in zabbix bug tracker (support.zabbix.com) and create one if there is not.

You can try str trigger function - it would allow to search for a specific text in a number of last log entries.

And there's some black magic, that can do the trick (not sure, if that's the best way of doing it)
Create a trigger, say trigger_1 with the following expression:
This trigger goes to problem on every 1-st appearance of 6005, but goes to OK, if 6005 comes for the 2-nd time.

Create trigger_2:
And set that it depends on: trigger_1.

This way trigger_2 will only get triggered on 2-nd appearance of 6005 (of the first appearance this trigger is blocked by dependency on trigger_1).

Hope that helps.

Thanks for much for your quick and knowledgeable reply !

Hmm, I am starting to wonder if this is really the best way to go about this ? I wonder if there's an easier way to detect an unexpected reboot on a Windows machine ?

I'm essentially looking for an OS startup without a proper OS shutdown. Is there a better way to detect this ?

-Chad

Windows has an eventlog message for unclean shutdown. Just create a one trigger for that.

The problem with log triggers is that once a second eventlog message comes through that doesn't match, the trigger clears and it won't show up on the dashboard. The good news is you will see it in the event history and you will get a notification.

Ahh, I think I found it.

Event ID 41 : The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Is that the one ?

Thanks !

-Chad