One thing that you forget, is that trigger is recalculated after each new value...So it is pretty natural, that it will fire right after each "started" message...

Any ideas how to get a trigger only if there is no "completed" within a minute?

Not right now... head is full of cotton....

Maybe count? you could count if completed and finished are both within one min?
Something like ?


​count(/server/log[/var/log/example.log,DEBUG,"like","notification started"],1m) > (count(/server/log[/var/log/example.log,DEBUG,"like","notification completed"],1m) and count(/server/log[/var/log/example.log,DEBUG,"like","notification started"],1m) > 0)
​

CS​>(CC​ and CS​>0)

im on the phone right now (not sure if syntax is correct), but you would have to add additional layer of checking for 1m period each time you got new value. With this logic it ensures that if in last minute you have one started and one completed it won't trigger - this calculation would run each time you have new value in log to evaluate if there was a problem or if it ran longer than minute.

you could build around this logic maybe - I'm not sure if this will work right away but will get you started maybe. You can also use LAST also in this logic if you have a lot of "started"within minute.

If there was value A and there was no value of B within 1 minute," you can use the following approach:
yamlCopy code
groups: - name: example rules: - alert: LogConditionNotMet expr: | count_over_time( find(/server/log[/var/log/example.log,DEBUG],1m,"like","notification started") ) > 0 and count_over_time( find(/server/log[/var/log/example.log,DEBUG],1m,"like","notification completed") ) == 0 for: 1m labels: severity: warning annotations: summary: "Condition not met: Notification started without completion"
This rule checks for the condition within a 1-minute window. If there are "notification started" entries and no "notification completed" entries within that window, the alert "LogConditionNotMet" will be triggered. Adjust the severity, summary, and other parameters as needed.

Make sure to adapt the configuration to your Prometheus setup, and don't forget to reload the Prometheus configuration after making changes.​

Now I'm thinking it won't work right away. Not sure if you could do it without the "flapping trigger". It might work with a delayed action/notification but don't think this is good idea.
There could be another way maybe? Bit more complex but more accurate.

You could have another item/s that take timestamps and calculate difference? And if it greater than 1m trigger?

I assume each task always finish but not always within 1m? - this is real question here.


or create another depending item that will pull last 2x values with preprocessing to extract timestamp and compare if it is less than 1 min from each other (unix timestamp) and if completed time is always bigger than started as additional condition? - assuming task always is completed.

then setup additional trigger to check if last both values are "started" - that will check if it never finished

This is the essence of the task. Receive a notification if there is a start, a minute has already passed and there is no complete. Unfortunately, it does not always complete and intervention is required.

Finaly, think that it will be more easy to do with user script, sending to zabbix 1 or 0