Ad Widget

**ltep** · 16-02-2024, 12:37

Maybe using the "Find" function with the operator "Like" in the Trigger Expression can help?
The Like operator can be a string, like some specific text in eventlog message for example: Application ABC is not running. It will create a trigger when this string appears.

To automatically close the trigger you need a recovery expression in the same created trigger. For example: Application ABC is RUNNING. You can use Find and Like in this recovery expression.

Is this what you mean?

**Foboss360** · 16-02-2024, 17:30

Originally posted by ltep

Maybe using the "Find" function with the operator "Like" in the Trigger Expression can help?
The Like operator can be a string, like some specific text in eventlog message for example: Application ABC is not running. It will create a trigger when this string appears.

To automatically close the trigger you need a recovery expression in the same created trigger. For example: Application ABC is RUNNING. You can use Find and Like in this recovery expression.

Is this what you mean?

A slightly different task.
It is necessary to report the occurrence of a problem entry in the eventlog, and close the problem when the log rotation occurs and this entry is deleted.

I used these expressions, but none of them fit:

{Windows:eventlog[Application,,Error,,111].nodata(20m)}=0 - this one is definitely not suitable, since it is timed

({Windows:eventlog[Application,,Error,,111].count(#1)}>0) or ({Windows:eventlog[Application,,Error,,111].count(#1)}=0) - this one is triggered when an error is found, but for some reason the trigger does not close when there is no error in the logs anymore.

That is, as soon as an error entry with ID 111 appears in the eventlogs, then immediately there should be an opening event.
Conversely, when this error disappears in the eventlogs, there should be a closing event.

**cyber** · 19-02-2024, 11:53

You forget, that zabbix picks up the value and stores it in its own db. When your trigger expression refers to value, it refers to that saved value. It will not record a "0" or "nothing found" when with next check in agent it does not find matching line... So your trigger expression is always true.

**Foboss360** · 19-02-2024, 12:00

Originally posted by cyber

You forget, that zabbix picks up the value and stores it in its own db. When your trigger expression refers to value, it refers to that saved value. It will not record a "0" or "nothing found" when with next check in agent it does not find matching line... So your trigger expression is always true.

Ok.
And then how to make the trigger correctly so that it finds an error and, most importantly, closes when the error is already not found in the log?
How can I try to solve this problem?

**cyber** · 19-02-2024, 13:15

nodata() is your friend. I do not know how often you check, but nodata is recalculated in every 30sec. So if you check every second and have not received new value until that time, then you can close the event, right? Or if you check in longer periods, like once a minute, then maybe setting nodata for 2m (and maybe some seconds on top of it) interval is OK, so you know that second check did not return this value any more.

**Mohan7312** · 17-10-2025, 04:56

Hi Cyber,

i have retried using nodata function it not working , is there any other options?
i have trying use the find function also
find(/Template-Windows-IA-Common-2016/eventlog[System,,"ERROR|CRITICAL",Service Control Manager,7000,,],10m,"regexp",".*")=0
nodata(/Template-Windows-IA-Common-2016/eventlog[System,,"ERROR|CRITICAL",Service Control Manager,7000,,],10m)=1
but still is not working .

my problem expression is
logsource(/Template-Windows-IA-Common-2016/eventlog[System,,"ERROR|CRITICAL",Service Control Manager,7000,,],,"^Service Control Manager$")=1 and logeventid(/Template-Windows-IA-Common-2016/eventlog[System,,"ERROR|CRITICAL",Service Control Manager,7000,,],,"7000")=1

**cyber** · 17-10-2025, 12:31

You are collecting only ERRORand CRITICAL events with id 7000 from source "Service Control Manager"from Windows System log. Nothing else... Very precice match from beginning.
you can easily just use something like

Code:

bytelength(last(//Template-Windows-IA-Common-2016/eventlog[System,,"ERROR|CRITICAL",Service Control Manager,7000,,]))>0 and nodata(/Template-Windows-IA-Common-2016/eventlog[System,,"ERROR|CRITICAL",Service Control Manager,7000,,],10m)=0

last value contains something (we know that it is anyway only the desired event, so no need to start some pattern matching or other thing) and there is some data arrived within last 10 minutes... This should automatically close, if there is no events picked up during 10 minutes from last one...

And you really should start your own topic and not revive old ones...

**Mohan7312** · 20-10-2025, 04:15

Thanks cyber, I will try trigger. if i use the nodata function in trigger expression, it working fine . but if use in recovery expression it not working.

**cyber** · 20-10-2025, 14:50

Originally posted by Mohan7312

Thanks cyber, I will try trigger. if i use the nodata function in trigger expression, it working fine . but if use in recovery expression it not working.

please read docs, what is recovery expression and when it is triggered... If your trigger expression stays TRUE, recovery is not looked at... recovery exression is ADDITIONAL expression considered AFTER original has been evaluated to FALSE...

Ad Widget

Trigger by Eventlog

Trigger by Eventlog

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment