That did the Job!

Thanks!

My answer from here got lost, but point is, that recovery is additional conditions, what has to be met besides problem expression getting false... no need to create recovery options where they are not needed...

Strange.. I saw your last answer... But now it's dissapeared...

Your answer fixed the problem but my logic isn't working...


I've got 2 Domain Controllers.
I want that if one controller got in eventlog "Security" the eventid 4740 there should be created a problem with an tag "username" with value DOMAIN\testuser.
The Value will be extracted from the Eventlog message via JavaScript.
To resolve the Problem Zabbix should watch for eventid 4767 in any DomainController and should close all problems with same tag "username".

For this I've created my Problem expression:
and Recovery expression:
If DomainController1 creates the Problem (creates the eventlog with id 4740) and I'm going to unlock the account on DomainController1 (creates eventlog with id 4767) everything works fine. Also if I used DomainController1 in this case.
If DomainController1 creates the Problem and I'm going to unlock the account on DomainController2 I get a new Problem message (if Multiple Problem Event generation is activated.)
I don't know why.
Do you know any solution for this?

Thanks an Greetings
superwinni2

As to answer why it happens:

Your trigger says to raise a problem if either DC1 or DC2 has 4740 as last event id.

When account is locked on DC1, it has 4740 as last event id.

When you unlock account on DC2, a new event id pushed into Zabbix. When ANY item inside of a trigger receives new value, whole trigger gets re-evaluated. DC1 still has last event id 4740, right? So it satisfies condition of raising a new problem and new problem get raised.

Sadly not ready to tell on the spot how to change your trigger to get it do what you want.