log / logrt / log.count / logrt.count
https://blog.zabbix.com/zabbix-log-f...nitoring/7378/

Zabbix does not support RTF when parsing the log file. It's always parsing it as clear text. As to Windows, Zabbix can monitor EventLog, but I guess it's not what you need.

We have been experimenting with trying to get a log file to detect problem expression below and generate an alert, then look for a recovery expression and clear the alert the problem expression created. We have looked through blogs and tons of sites but cannot conclusively get an explanation why the first expression (below) works to trigger an alert, but the recovery expression that follows the first in the log does not clear the alert. Here are the expressions. We have tried multiple variations or the recovery expression without success. Please help.

Problem: {V00WISPECOC01T:log[C:\ifc8\cvps\OPERA_PMS1_04.20_14.log,,,,skip].logeventid(ChangeLinkState:CommOff)}=0
Recovery: {V00WISPECOC01T:log[C:\ifc8\cvps\OPERA_PMS1_04.20_14.log,,,,skip].logeventid(ChangeLinkState:CommOn)}=1

Hi Cyber, ironically it does work. We were working on trying to monitor .rtf files. According to Dimir, .rtf files aren’t supported. So we tried as many different settings we could think of, the standard item- log[C:\ifc8\cvps\OPERA_PMS1_04.20_14.rtf,ComOff] , it shows up it in the devices Items as "status enabled", but if we use trigger {servername:log[C:\ifc8\cvps\OPERA_PMS1_04.20_14.rtf,ComOff].last()}=0 and then place the expression "CommOff" in the log, no alert nothing happens. However if we use item- log[C:\ifc8\cvps\OPERA_PMS1_04.20_14.rtf,CommOff] and the trigger set to {servername:log[C:\ifc8\cvps\OPERA_PMS1_04.20_14.rtf,CommOff].logeventid(CommOff)}=0 We place the expression "ComOff" in the log file and wallah we get an alert. We are trying to determine what the correct Recovery expression would be. Could you share what you feel the correct solution would be?

First of all.. logeventid? Isn't it for windows eventlog items?
Second... The recovery expression being TRUE alone does not resolve a problem if the problem expression is still TRUE!
Even if that logeventid would work here (which I doubt)... you are setting a recovery expression to a condition that actually creates the problem at first place..

Status "enabled" just means that your syntax for "log" type of item is correct. It has all needed for work, path to logfile and pattern to search for. But as log item is not able to read rtf (it takes it all literally and is not able to parse all that formatting etc, whatever there is in that file), then it probably finds a value there, but is never able to track new values...
Just as Dimir said.
Lets just assume, that you get a value out of that file...function last()=0 cannot give you any positive result here... How do you expect this to trigger something if your value is something containing "ComOff" and you compare it to 0? You probably should be using regexp instead (regexp("ComOff")=1).
Why your logeventid function gave you a trigger? Because you gave it a pattern and then made sure it does not match it...(Returns: 0 - does not match, 1 - matches). Your data does not contain any logeventid anyway (it is a windows event log thing), so whatever you set there... it will not match anyway... you can try with any other string or number, still same result. And all this oonly because you have item "type of information" set to "log". Set it to text or character and you have no option even to use logeventid() any more.
As I said before... Recovery expression is ADDITIONAL condition, that must be matched for a trigger become false... It is not enough alone to recover the trigger... your initial trigger condition has to become false also.
It seems you are far off from understanding how trigggers work and trying to apply functions, where they do not work..
I would suggest reading docs