Hello friends, how are you?

need a help, please!

I created two items to monitor the windows event log. The Event ID 23 item refers to an application's connection drop and the Event ID 27 item refers to the reestablishment of this same connection. I created the trigger as below, the alert is generated, however, it is not resolved. The items are receiving the collected values ​​normally.

Any friend who can help in the solution of this case?

thank you for your attention now!

Trigger
Incident: {srv-his: eventlog [Application ,,,, 23] .logeventid (^ [2] [3] $)} = 1
Retrieval: {srv-his: eventlog [Application ,,,, 27] .logeventid (^ [2] [7] $)} = 1