Ad Widget

**tim.mooney** · 01-08-2021, 08:00

You have an extra closing ')' in your expression, I think. Compare what's immediately before the = in the working vs. non-working scenarios.

It really can help to use the exression-builder, even as just a point of comparison.

Also, I don't think you want last() for this, I think you want delta().

**pmurtey** · 03-08-2021, 23:53

Hi Cyber, Our customer wants to know if there is no growth of the file in the last hour. I went ahead and removed the extra ) as suggested by Tim, and it accepted the expression, but when the log stops writing it doesn't appear to do anything. I tried substituting .delta(0,1h)}=0 as Tim suggested and I get an error incorrect trigger function , invalid first parameter.

**pmurtey** · 04-08-2021, 01:28

Hi Tim, I even tried the solution you posted in https://www.zabbix.com/forum/zabbix-...for-15-minutes of using the .delta(15m) == 0 and I get " Invalid parameter "/1/expression": incorrect trigger expression starting from "{servertname:vfs.file.size[/data01/usr/log/Notifier/notifier.log].delta(15m)==0".

**johndoe2374** · 05-08-2021, 09:51

I guess if you're using vfs.file.size you can also try to use change() function for your condidion. For example you collect your filesize data once an hour and change() will calculate difference between sizes in bytes. "Small amount of new bytes" - low activity, "0" - no activity at all. Function delta() is probably doing the same, but I didn't find it in expression builder.

**johndoe2374** · 05-08-2021, 10:47

Originally posted by cyber

It is there, really..

But I must agree, change() might be better in this case. If there is a change in size and it is positive, then everything is fine... Delta will not tell you, has it been growing or shrinking..

Well, I guess your screenshot is from 5.0 LTS version, and I can swear I saw this function previously when I had it installed on my server. But now I've updated it to 5.4.3: all functions are categorized and I still can't find it when creating any trigger.

**johndoe2374** · 05-08-2021, 11:53

It's still mentioned on these pages:

7 Predictive trigger functions

https://www.zabbix.com/documentation/current/manual/config/triggers/prediction

https://www.zabbix.com/documentation...s/prediction?s[]=delta

Oh, actually I've found it in manual's changelog:

5 What's new in Zabbix 7.4.0

https://www.zabbix.com/documentation/current/manual/introduction/whatsnew540

"delta function has been removed, you should use max-min instead"

Zabbix have a great documentation but still sometimes lacks very important info and very often you have to find it yourself by experimenting and observation.

**johndoe2374** · 05-08-2021, 12:39

Originally posted by cyber

hmm .. "max (<value1>,<value2>,…) - min (<value1>,<value2>,…)" ... computer says no... if there is no time period option..

valueX - value returned by one of history functions (change, count, countunique, find, first, fuzzytime, last, logeventid, logseverity, logsource, nodata, percentile, trendavg, trendcount, trendmax, trendmin, trendsum).
OK... trendmin and trendmax can give min and max values for 1h period... so I don't need min-max, can use those values directly... But if I need delta for 15 or 30 minute period, I am still in poop...

But this has moved far far away from initial question

No, I believe you use trendmin and trendmax to work with trend values, not actual values. Corresponding to this page:

1 Aggregate functions

https://www.zabbix.com/documentation/current/manual/appendix/functions/aggregate

Example:
⇒ max(/host/key,1h) - min(/host/key,1h) → calculate the difference between the maximum and minimum values within the last hour¹ (delta of values)

So, I believe pmurtey's trigger would look like that:

1. No difference between values for 1h:

Code:

max(<hostname>/vfs.file.size[/data01/usr/log/Notifier/notifier.log],1h)-min(<hostname>/vfs.file.size[/data01/usr/log/Notifier/notifier.log],1h)=0

2. Insignificant difference (less than 100 bytes):

Code:

max(<hostname>/vfs.file.size[/data01/usr/log/Notifier/notifier.log],1h)-min(<hostname>/vfs.file.size[/data01/usr/log/Notifier/notifier.log],1h)<=100

**pmurtey** · 06-08-2021, 20:51

Hi All, Using delta(15m)}=0 is working great for us. Thank you for helping with the syntax. Is there anything thats different that we need to be aware of if monitoring rotating logs?

**cyber** · 23-12-2021, 21:35

Why use vfs.file.size at all, when there is vfs.file.time ?

**cyber** · 23-12-2021, 21:41

use single =, not == and you seem to miss closing }
it shoudl look like this
{servertname:vfs.file.size[/data01/usr/log/Notifier/notifier.log].delta(15m)}=0
As Tim suggested, use expression builder, it helps to avoid such simple typos..

...

**cyber** · 23-12-2021, 21:44

Originally posted by johndoe2374

Function delta() is probably doing the same, but I didn't find it in expression builder.

It is there, really..

But I must agree, change() might be better in this case. If there is a change in size and it is positive, then everything is fine... Delta will not tell you, has it been growing or shrinking..

**cyber** · 23-12-2021, 21:45

Mine was from 4.4..

and is same for 5.0.. I have no newer installed here..

But looking at

5 Supported functions

https://www.zabbix.com/documentation/current/manual/appendix/functions

you are right.. there is no delta() any more... also no diff() (can be replaced with change()) .... regexp() and iregexp() are gone, but there is now find()..
But it still leaves me thinking how delta is replaced...?

**cyber** · 23-12-2021, 21:47

hmm .. "max (,,…) - min (,,…)" ... computer says no... if there is no time period option..

valueX - value returned by one of history functions (change, count, countunique, find, first, fuzzytime, last, logeventid, logseverity, logsource, nodata, percentile, trendavg, trendcount, trendmax, trendmin, trendsum).
OK... trendmin and trendmax can give min and max values for 1h period... so I don't need min-max, can use those values directly... But if I need delta for 15 or 30 minute period, I am still in poop...
But this has moved far far away from initial question

**cyber** · 23-12-2021, 21:48

Hah! I was looking at wrong max and min...:P Those are described also under mathematical functions, which was the first to pop up for me..

Of course, they will work as needed, if used as described under aggregate functions..

Documentation mess...

Ad Widget

Unable to trigger on file size

Unable to trigger on file size

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment