Zabbix 4.4.6
Hello
I have some logs which I get by Zabbix Agent from servers.
This logs don't have much values, but they go all the way back to past 4-5 years (and I can't modify log files to delete or archive them).
Log entries have timestamps which I read
Log time format: yyyy-MM-ddphh:mm:ss
1. First question
I created a trigger which will start if last message of the log contains some string
But if I am adding new device/server or deleting/recreating template (cause it's easier to duplicate macros based triggers in text editor than in GUI), Zabbix not only read the log from the stone age, but creating triggers for old entries in the log even if there is #1 option in regexp
For example this entry created a trigger in 2021:
How could I avoid that. If it is Zabbix logic of parsing log file, maybe there is some workaround to check trigger conditions only for entries with timestamp now-1day or something?
2. And second question
I have spamming entries in log which could be fired and closed several times in a minute (like a heartbeat but with closed conditions)
For example 3 open/close entries in 2 minutes (* open, - close)
I want to create a trigger only on first entry and close only if there was no new firing in last N minutes
I created a recovery condition with count and regexp macros
So it should be closed when there is close message and where were no new open messages within last 5 minutes
BUT: if the problem was opened and closed within few seconds, the 5 minutes condition is not applied and incident stays opened.
How can I check last N minutes counts not counting the initial entry that triggers the trigger?
P.S. If there is a way to check if open and closed messages were within 1 minutes and not fire anything in this case? So to check only for long incidents not few seconds open/closed conditions. It's all easy when I deal with SNMP and metrics which get walked every n minutes and so on, but I don't know how to deal with logs correctly. And this devices can't do anything besides logs
Hello
I have some logs which I get by Zabbix Agent from servers.
This logs don't have much values, but they go all the way back to past 4-5 years (and I can't modify log files to delete or archive them).
Log entries have timestamps which I read
Log time format: yyyy-MM-ddphh:mm:ss
1. First question
I created a trigger which will start if last message of the log contains some string
Code:
{EXAMPLELog:logrt["{$PATH}}Errors",,"windows-1251",80].regexp("2700100\s+[*]+",#1)}=1
For example this entry created a trigger in 2021:
Code:
2018-01-22 09:25:59 2700100 *** A - type remote alarm
2. And second question
I have spamming entries in log which could be fired and closed several times in a minute (like a heartbeat but with closed conditions)
For example 3 open/close entries in 2 minutes (* open, - close)
Code:
2018-01-22 09:25:59 2700100 *** A - type remote alarm 2018-01-22 09:26:10 2700100 --- A - type remote alarm 2018-01-22 09:26:10 2700100 *** A - type remote alarm 2018-01-22 09:26:15 2700100 --- A - type remote alarm 2018-01-22 09:26:20 2700100 *** A - type remote alarm 2018-01-22 09:26:50 2700100 --- A - type remote alarm
I created a recovery condition with count and regexp macros
Code:
{EXAMPLELog:logrt["{$PATH}Errors",,"windows-1251",80].regexp("2700100\s+[-]+",#1)}=1
and
{EXAMPLELog:logrt["{$PATH}Errors",,"windows-1251",80].count(5m,"2700100\s+[*]+",regexp)}=0
BUT: if the problem was opened and closed within few seconds, the 5 minutes condition is not applied and incident stays opened.
How can I check last N minutes counts not counting the initial entry that triggers the trigger?
P.S. If there is a way to check if open and closed messages were within 1 minutes and not fire anything in this case? So to check only for long incidents not few seconds open/closed conditions. It's all easy when I deal with SNMP and metrics which get walked every n minutes and so on, but I don't know how to deal with logs correctly. And this devices can't do anything besides logs
Comment