When starting out with Zabbix, a full read (or at least "skim") through the built-in documentation for the version you're using is a good idea, to get an overview of everything that is built-in to your version of the software. Once you have a good handle on the documentation, then the Zabbix blog and the official templates are good places to learn strong techniques for solving complicated real-world problems and "best practices" for writing your own triggers, dashboards, etc.

If you can identify how to gather the data (the item) you need for making decisions, then one of the trigger functions (or perhaps a combination of trigger functions) will be needed for Zabbix to evaluate to determine that there is a problem condition. Spending some time reading the chapter on triggers and looking at the trigger logic in some of the official templates will get you a good idea of how you might accomplish what you need to do with your item. Note that the official templates have been undergoing updates and improvements and are quite powerful and quite configurable, but that also has added to their complexity. Don't get discouraged if you don't understand something in the official templates right away.

If you can get the problem to show up in the dashboard, then you have Zabbix detecting the problem condition.

Once a problem has been identified, "actions" are what Zabbix executes to do things like send alerts or (if you set it up) possibly remediate the problem directly (like restart a service in the case of a service that failed, etc.). Alerts are one area of monitoring where it seems like each site has their on policies on how soon, how frequently, and how much to alert for any particular type of problem.

Read the chapter on "actions" carefully and you'll probably be able to identify an approach that will work for your organization. For example, alert actions may relate to what host group a monitored switch or host is part of. Or, if you make good use of "tags", maybe your actions will use tags as part of the criteria. You might even have actions that use time of day or day of the week as part of their criteria. There's a lot you can configure, but a great deal of it is going to depend on what your organization wants.

Sorry about the sort of "vague" answer, but if you can identify specific questions, it's likely someone will eventually be able to help.

I kinda expected that sort of "vague" answer hehe :-) I do appreciate taking the time, so Thanks!
Believe me, I am always reading the built-in information and not just for zabbix, I am in IT field, but more specialized in the Network (cisco) admin.
The thing is I am BAD at scripts but I will probably take a Zabbix course @Udemy or somewhere similar.

However, I would expect somebody to have a similar setup. We are surely not alone trying to monitor bandwidth within a threshold?
I am all for "Teach a man to fish..." concept. But it would really help to see an example of a modified trigger that goes into alarma state when the values are out of bounds. I good at drawing conlusions based on an example and applying them onto my cases.

Is there a good Zabbix course that you would recommend that might help in my situaton?

Hello Yush,

I would like to understand the situation as best as I can to help you, currently you are already bringing up the bandwidth values on the port in question?

If that's the case your request is only about creating the trigger right?

Sincerely, Oz_Joris

Hi Oz_Joris,

Example:
Cisco switch: C9300-48T
SwitchPort: Gi1/0/1
Template: Cisco IOS versions 12.0_3_T-12.2_3.5 SNMP

Data (bandwidth) is recorded and correctly displayed on the graph.
Avg for Bits sent is 3.55 Mbps, eht port speed is 1Gbps. Traffic is constant video stream.

I am thinking in this direction or something similar...
1. Find appropriate trigger and make a clone of that trigger... and rename it...
2. Make value changes on the new, cloned trigger...
3. Create an Trigger Action with a combination of conditions (Trigger + Trigger severity)
... ?


I found a trigger that I plan to test with. It does something similar to what I am seeking...

Name:
Interface Gi1/0/1(KIDS_TV_IN1): High bandwidth usage (>{$IF.UTIL.MAX:"Gi1/0/1"}% )

Operational Data:
In: {ITEM.LASTVALUE1}, out: {ITEM.LASTVALUE3}, speed: {ITEM.LASTVALUE2}

Expression:
And
Or
A {C9300-D1:net.if.in[ifHCInOctets.9].avg(15m)}>({$IF.UTIL.MAX:"Gi1/0/1"}/100)*{C9300-D1:net.if.speed[ifHighSpeed.9].last()}
B {C9300-D1:net.if.out[ifHCOutOctets.9].avg(15m)}>({$IF.UTIL.MAX:"Gi1/0/1"}/100)*{C9300-D1:net.if.speed[ifHighSpeed.9].last()}
C {C9300-D1:net.if.speed[ifHighSpeed.9].last()}>0

Recovery Expression:
{C9300-D1:net.if.in[ifHCInOctets.9].avg(15m)}<(({$IF.UTIL.MAX:"Gi1/0/1"}-3)/100)*{C9300-D1:net.if.speed[ifHighSpeed.9].last()} and
{C9300-D1:net.if.out[ifHCOutOctets.9].avg(15m)}<(({$IF.UTIL.MAX:"Gi1/0/1"}-3)/100)*{C9300-D1:net.if.speed[ifHighSpeed.9].last()}

I did not test yet. I am in the process of learning "as we speak" ...

Thanks