Ad Widget

**Hamardaban** · 27-12-2023, 11:27

You can use historical functions for trigger exp
count(/host/key,5m,eq,1)>0

or aggregate function
max(/host/key,5m)>0

both of these examples will fire trigger if at least one value equal to 1 is received within 5 minutes and will set off the trigger if the received values are zero or there were none.

**Melon Mollusk** · 08-01-2024, 16:26

Hi Hamardaban, thanks for your answer, Im testing you first option: .count(2m,1)}>0

The problem is that if the 0 (to recover the trigger) arrives before that 2 minutes, the problem never closes, only after those 2 minutes I can close the problem

in the screenshot below, I send a 0 to zabbix, seconds after sending a 1.

So Im looking for something like this: if a 0 arrives before the 2 minutes, dont recover the problem until those 2 minutes has passed.

Attached Files

**irontmp** · 09-01-2024, 13:29

Originally posted by Melon Mollusk

Hi, I receive alerts, via zabbix sender, from another plataform that I have no control over, this alerts have the values 0 or 1.

whenever a 1 arrive a problem is triggered

.last()}>0

whenever a 0 arrive a problem is recovered

.change()}=-1

if I get a 1 and then a 0 the difference will be -1 (change()) and the problem is recovered,
if I get a 1 and then 1 the difference will be 0, so the problem is not recovered.

It works okay, but the issue that I have is that sometimes in a short period, it is challenging to concentrate on finding the best surf skates.
What will be the best way to avoid this issue?

To avoid the issue of receiving too many alerts from the same host and item in a short time span, consider implementing event suppression logic. This could involve setting a cooldown period during which additional alerts for the same problem are ignored. Additionally, adjusting thresholds, implementing flapping detection, aggregating alerts, and using alert escalation can help manage and filter the notifications more effectively.

**ISiroshtan** · 09-01-2024, 17:18

Melon Mollusk it seems to me you initially had set trigger with trigger expression AND recovery expression. Trigger expressions suggested by Hamardaban require only trigger expression and no recovery expression. So trigger should be set to
"OK event generation" - "Expression".

With such setup the expression

count(/host/key,5m,eq,1)>0

would not care about "0". It will fire alert if there is at least one message with "1" over last 5 min and will auto close if there is none such messages in 5 min.

Which also means that each alert will exist for at least 5 minutes before closing and not auto close on 0.

If you want to have trigger follow logic of 1 - open, 0 - close, but also have protection against flapping too often... Well it is rather complex scenario to draft...
Like ok, we get 1 - we open problem, we get 0 - we close problem. But what to do if too much flapping happens?
Not open new problem? When to be allowed to open it again?
Not close the already open problem? If not to close - when you actually want to close it automatically?

**Melon Mollusk** · 10-01-2024, 23:37

Hi and thanks to all, I have tested

count(/host/key,5m,eq,1)>0
max(/host/key,5m)>0

But the trigger never recover after the 5 minutes when no "1"s have arive, maybe Im missing something in the creation of the host/item/trigger? below is the script

Maybe an important thing is that this are alerts from another plataforms, so they dont have a partircular interval, they can arrive at any moment.

Code:

#!/bin/bash

# Variables
API_URL="https://.../zabbix/api_jsonrpc.php"
HOST_NAME="host_decal_test"
ITEM_NAME="2_item_decal_test"
TRIGGER_NAME="2_trigger_decal_test"
ZABBIX_SERVER="musi.pro.anida.cl"
ZABBIX_PORT="your_zabbix_port"
ITEM_KEY="2_item_key_decal"
auth="..."


# Create host
hostid=$(curl -X POST -H 'Content-Type: application/json' --insecure -d "{
\"jsonrpc\": \"2.0\",
\"method\": \"host.create\",
\"params\": {
\"host\": \"$HOST_NAME\",
\"interfaces\": [
{
\"type\": 1,
\"main\": 1,
\"useip\": 1,
\"ip\": \"127.0.0.1\",
\"dns\": \"\",
\"port\": \"10050\"
}
],
\"groups\": [
{
\"groupid\": \"19\"
}
]
},
\"auth\": \"$auth\",
\"id\": 1
}" $API_URL | jq -r '.result.hostids[0]')

# Get the interface id of the host
interfaceid=$(curl -X POST -H 'Content-Type: application/json' --insecure -d "{
\"jsonrpc\": \"2.0\",
\"method\": \"hostinterface.get\",
\"params\": {
\"hostids\": \"$hostid\"
},
\"auth\": \"$auth\",
\"id\": 1
}" $API_URL | jq -r '.result[0].interfaceid')

# Create item
itemid=$(curl -X POST -H 'Content-Type: application/json' --insecure -d "{
\"jsonrpc\": \"2.0\",
\"method\": \"item.create\",
\"params\": {
\"name\": \"$ITEM_NAME\",
\"key_\": \"$ITEM_KEY\",
\"hostid\": \"$hostid\",
\"type\": 2,
\"value_type\": 3,
\"interfaceid\": \"$interfaceid\",
\"delay\": \"30s\"
},
\"auth\": \"$auth\",
\"id\": 1
}" $API_URL | jq -r '.result.itemids[0]')

#create trigger
triggerid=$(curl -s -X POST -H 'Content-Type: application/json' --insecure -d "{
\"jsonrpc\": \"2.0\",
\"method\": \"trigger.create\",
\"params\": {
\"description\": \"$TRIGGER_NAME\",
\"expression\": \"{${HOST_NAME}:${ITEM_KEY}.count(2m,1)}>0\",
\"recovery_mode\": 0,
\"priority\": 4
},
\"auth\": \"$auth\",
\"id\": 1
}" $API_URL | jq -r '.result.triggerids[0]')

Ad Widget

Help with trigger expression

Help with trigger expression

Comment

Comment

Comment

Comment

Comment