Hey Marijana
So let me try to explain what is the issue and why it not working as you expect.
Main point to understand here - recovery expression. Recovery expressions is evaluated only AFTER trigger expressions switches to false. So if you have two different items (A and B) and want a trigger to open based on value of A but be resolved based on value of B, you need to make sure that by time B arrives the trigger expression is already resolved. So if you use find(A, ...)=1 and item A only gets values that match this condition, the trigger can not be automatically resolved. Ever. Because latest value of value A that find(A) takes for evaluation is always matches the alert condition. Simply put, if you got trap "power lost" at 15:39, the last value of item A will still be "power lost" at 16:00, 20:00, 24:00, etc. It will never change. No matter how many traps arrive to item B, value of find(A) will remain same and will satisfy the trigger expression.
In my initial message in this thread I offered the easiest way to solve it - you combine traps that trigger alert and those that resolve alert into same item. This way find() function will be fetching the latest trap. If latest trap received indicates alert fire condition - trigger condition will match and alert will fire. If latest trap received indicates alert resolution condition (or NOT alert fire condition) trigger expression will be false (and recovery condition will be true, if set) resulting in alert resolving.
Alternative approach (which I think is working, tho it was long time since i had to use it so not sure if it still would work same way in current version of Zabbix) is to limit time for how far back in the past we looking with find() function.
This way you keep your items A and B separately. Then you define trigger like find(A,1m,"regexp","some_matching_string")=1. Recovery like find(B,1m,"regexp","some_other_matching_string")=1 .
Now how it work:
Trap arrives to item A with matching string - Zabbix will take all values A over last minute and check if any of them match trigger conditions -> last one matches -> alert fired.
Few minutes later (it's important, we set 1m in find() function, so there should be at least 1 minute between alert trap and recovery trap) a recovery trap arriver -> as new value that is used for trigger arrive Zabbix needs to reevaluate the trigger -> zabbix takes all values over last minutes for item A -> there should be no values, as alert open trap arrived more than a minute ago -> trigger expression is not satisfied(false) so zabbix can proceed to check recovery expression -> it takes all values of item B now over last minute -> it checks if find function matches -> it's matched -> alert resolved
Big problem with second approach is the fact you are setting static lookback (1m in my example) to function. If time between alert trap and recovery traps will be less then set time (1m) - recovery will not work. That is why I recommend first approach whenever possible.
(And writing regexp with oid name instead of oid number is easier (IMO), that is why I usually recommend to have mibs installed)
Either way, pretty lengthy reply and I never saw myself as good at explaining, so feel free to follow up with questions
So let me try to explain what is the issue and why it not working as you expect.
Main point to understand here - recovery expression. Recovery expressions is evaluated only AFTER trigger expressions switches to false. So if you have two different items (A and B) and want a trigger to open based on value of A but be resolved based on value of B, you need to make sure that by time B arrives the trigger expression is already resolved. So if you use find(A, ...)=1 and item A only gets values that match this condition, the trigger can not be automatically resolved. Ever. Because latest value of value A that find(A) takes for evaluation is always matches the alert condition. Simply put, if you got trap "power lost" at 15:39, the last value of item A will still be "power lost" at 16:00, 20:00, 24:00, etc. It will never change. No matter how many traps arrive to item B, value of find(A) will remain same and will satisfy the trigger expression.
In my initial message in this thread I offered the easiest way to solve it - you combine traps that trigger alert and those that resolve alert into same item. This way find() function will be fetching the latest trap. If latest trap received indicates alert fire condition - trigger condition will match and alert will fire. If latest trap received indicates alert resolution condition (or NOT alert fire condition) trigger expression will be false (and recovery condition will be true, if set) resulting in alert resolving.
Alternative approach (which I think is working, tho it was long time since i had to use it so not sure if it still would work same way in current version of Zabbix) is to limit time for how far back in the past we looking with find() function.
This way you keep your items A and B separately. Then you define trigger like find(A,1m,"regexp","some_matching_string")=1. Recovery like find(B,1m,"regexp","some_other_matching_string")=1 .
Now how it work:
Trap arrives to item A with matching string - Zabbix will take all values A over last minute and check if any of them match trigger conditions -> last one matches -> alert fired.
Few minutes later (it's important, we set 1m in find() function, so there should be at least 1 minute between alert trap and recovery trap) a recovery trap arriver -> as new value that is used for trigger arrive Zabbix needs to reevaluate the trigger -> zabbix takes all values over last minutes for item A -> there should be no values, as alert open trap arrived more than a minute ago -> trigger expression is not satisfied(false) so zabbix can proceed to check recovery expression -> it takes all values of item B now over last minute -> it checks if find function matches -> it's matched -> alert resolved
Big problem with second approach is the fact you are setting static lookback (1m in my example) to function. If time between alert trap and recovery traps will be less then set time (1m) - recovery will not work. That is why I recommend first approach whenever possible.
(And writing regexp with oid name instead of oid number is easier (IMO), that is why I usually recommend to have mibs installed)
Either way, pretty lengthy reply and I never saw myself as good at explaining, so feel free to follow up with questions
Comment