Ad Widget

Collapse

Zabbix Item returning multiple values for multiple possible trigger events

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Mbar
    Junior Member
    • Jan 2022
    • 10
    #1

    Zabbix Item returning multiple values for multiple possible trigger events

    First off, I want to say Zabbix is an amazing flexible software package. I am using Zabbix v5.4.7

    I'm having trouble working out what the most efficient method would be to implement one of my use cases.

    I want to monitor an interface.

    To do this I query a database table every 30 minutes to grab a list of all interface rejections.
    I will feed Zabbix an object list similar to the below:

    Code:
    {
"12345":{"packet":"12345","ORDER_NO":"ORDERXYZ","REJECTION_REASON":"Order already active- Picking in progress - unable to update order"},
"12346":{"packet":"12346","ORDER_NO":"ORDERABC123","REJECTION_REASON":"Product COSTCO/PR123 doesn't exist in Item Master configuration"}
}
    There could be multiple rejections and each "packet" needs to be handled individually.

    I have no trouble creating the custom monitoring item and returning the data to the Zabbix Server. My difficulty is on the trigger side.

    I'd like to create a trigger event for each rejected packet that provides useful information about the issue.

    Eg:

    Problem: Interface Rejection - Packet 12345 - Order ORDERXYZ
    Problem Started: {time}
    Rejection Reason: Order already active- Picking in progress - unable to update order


    I'd like to be able to create events based on packet number and not trigger problems for the same packet number multiple times (it could be there for a while).

    Can this be done using a single item + trigger?

    Or do I have to use low-level discovery? Low-level discovery for this use case sounds extremely messy. I wouldn't want to create a new item/trigger for each interface packet.
    Tags: None
    • Mbar
      Junior Member
      • Jan 2022
      • 10
      #2
      Hello, Does anyone have any ideas?

        Comment

        • ISiroshtan
          Senior Member
          • Nov 2019
          • 324
          #3
          Now, this is not a solution, it just some thoughts on how to achieve some of your desires based on my past experience. It does not fit perfectly in your task, but maybe can give you a direction to proceed to build what you want.

          From my experience there is 2 problem areas in your task that I don't know how to solve:

          1. Data coming in bulk
          2. How to resolve problems

          Now in details:

          Issue #1 To the point I've not had a solution that managed data coming in bulks. As of now I'd suggest to look into a way to split them into separate items. So instead of feeding single:

          Code:
          {
"12345":{"packet":"12345","ORDER_NO":"ORDERXYZ","R EJECTION_REASON":"Order already active- Picking in progress - unable to update order"},
"12346":{"packet":"12346","ORDER_NO":"ORDERABC123" ,"REJECTION_REASON":"Product COSTCO/PR123 doesn't exist in Item Master configuration"}
}
          Send it as
          Code:
          {"12345":{"packet":"12345","ORDER_NO":"ORDERXYZ","R EJECTION_REASON":"Order already active- Picking in progress - unable to update order"}}
          and
          Code:
          {"12346":{"packet":"12346","ORDER_NO":"ORDERABC123" ,"REJECTION_REASON":"Product COSTCO/PR123 doesn't exist in Item Master configuration"}}
          How to setup multiple events from one trigger and de-duplicate: now if to assume the data coming as separate events, you can setup a trigger that analyze each event and decide on raising alert. Important points here:
          • You need to use Macro and macro function in trigger fields to extract data from value. For example: Trigger name:
            Code:
            Interface Rejection - Packet {{ITEM.VALUE1}.regsub("\"packet\":\"(.*?)\"",\1)}  - Order  {{ITEM.VALUE1}.regsub("\"ORDER_NO\":\"(.*?)\"",\1)}
            ; Trigger description: Rejection
            Code:
            Reason: {{ITEM.VALUE1}.regsub("\"REJECTION_REASON\":\"(.*?)\"",\1)}
          • You need to use tags, to be able to use global event correlation to close duplicates. You define a tag ( a uniqueness criteria. I'd assume it to be packet number) like
            Code:
             "Tag name": "Number";
            Code:
            "Tag value": "{{ITEM.VALUE1}.regsub("\"packet\":\"(.*?)\"",\1)}"
          • You set expression like
            Code:
             [B]last[/B](/host/key,[B]#1[/B]) <> [B]last[/B](/host/key,[B]#2[/B])[I][/I]
            Or actually any expression that would fire on each new value would do for starters.
          • You set global event correlation with rule "Value of old event tag Number equals value of new event tag Number" and operation "Close new event" (additionally it makes sense to limit event correlation to specific host group to reduce number of events that sent for correlation check)
          • You set a trigger into "Event Generation Mode - Multiple"
          As result you have one trigger that generates new alert for each incoming message, and if alert identified as duplicate - it immediately closed.

          Issue #2 I'm not sure how to resolve problems in such approach. As it's event driven trigger, optimally it needs a separate unique event to indicate the issue resolved. Just absence of value will not do.
          Unless you expect this alert to not come that frequently. In which case you can just modify the trigger expression to have a time limit like
          Code:
          [B]last[/B](/host/key,[B]#1[/B]) <> [B]last[/B](/host/key,[B]#2[/B]) and [B]nodata[/B](/host/key,10m)=0
          This way if no new events in 10 minutes - all problems created by this trigger will be closed. But mind, not only no events about specific packet, but no events AT ALL.

          I will think of other approaches to look into, but so far I'm not able to advice anything else.

          Hope it helps!

            Comment

            Previous template Next
            Working...