Ad Widget

**cyber** · 27-01-2025, 18:21

count( item, 1h)>0 should return to false, when your item has not received any values for 1h.. Have you waited for so long? Is there any such period of time, when no data comes in?
But this logfile triggers issue is old and has long beard..

I'm using quite often something like "bytelength(last(host/item))>0 and nodata(/host/item/,5m)=0" that usually closes the problem after 5 minutes, IF there is no new data.. Basically suppresses new problems until there has been 5m of silence... As customer need, it can usually be closed earlier or later... no less than 30s. We do forward evetns out to 3rd party ticketing, so they will get a ticket anyway, so problem can be closed and ready for next one.

**hm1266** · 29-01-2025, 09:20

Hi - Thanks for your reply -
Yes, im sure item is not triggered for long periodes ( days, weeks )
- where item is like log(logfile, something went wrong..)

It is my understanding, that triggers don't get evaluated, unless a new item appears? At least no if item is a log()?
Therefor the trigger never evaluates to False?

Compared with a, say a trigger like memory_free < 10. This will return False, as soon as it sees 11 free.

**hm1266** · 31-01-2025, 09:41

Hi thanks again, I tried this:

Host xxxx
Trigger HM_test_close
Severity Information
Problem expression
bytelength(last(/xxxx/log[/tmp/testfile,Hello]))>0
Recovery expression
nodata(/xxxx/log[/tmp/testfile,Hello],5m)=0
Event generation Normal
Allow manual close No
Enabled Yes

( i replaced the real hostname.domain with xxxx )

And after echo Hello7 >> /tmp/testfile, it created a 'problem':
Event HM_test_close
Operational data
Hello7
Severity Information
Time 2025-01-31 08:23:01
Acknowledged No
Tags OS: Linux
Description
Rank Cause

and:
Event list [previous 20]
Time Recovery time Status Age Duration Update Actions
2025-01-31 08:23:01 PROBLEM 13m 42s 13m 42s Update

Any hint as to what I did wrong, or forgot to do?
/holger

**cyber** · 31-01-2025, 13:37

Wrong? Using recovery expression...

RE is only considered after problem expression has turned FALSE...
Use both expressions together with AND.

**hm1266** · 06-02-2025, 11:07

|| RE is only considered after problem expression has turned FALSE...
Oh... OK.
And since this will never happen ( problem expression is always true ), I need to add

I have tried:

Host xxxx
Trigger HM_test_close
Severity Information
Problem expression
bytelength(last(/xxxx/log[/tmp/testfile,Hello]))>0 and nodata(/xxxx/log[/tmp/testfile,Hello],5m)=0
Recovery expression
Event generation Normal
Allow manual close Yes
Enabled Yes

It dos sound like a roundabout way of using count( item, 5m)!=0, but perhaps there is a subtle difference?

The good news is, that problems are still triggered:

Event details
Event HM_test_close
Operational data
Hello8
Severity Information
Time 2025-02-06 09:13:46
Acknowledged No
Tags OS: Linux
Description
Rank Cause zz0.e2txsr9xodvzz

But they still dont close:

Event list [previous 20]
Time Recovery time Status Age Duration Update Actions
2025-02-06 09:13:46 PROBLEM 24m 1s 24m 1s Update

Thanks for your support - Iam very grateful - I have tried to solve this for more than a year, and your suggestions have explained a lot, already.
/holger

**cyber** · 06-02-2025, 17:13

Was there any data coming in during that 5m time? that 5m is reset, if something comes in, so there should be a total silence for 5m...
difference in nodata and count, as your example... this is here.. https://www.zabbix.com/documentation...lculation-time
date/time functions and nodata are recalcualted every 30s. Others, when new value arrives...

Ad Widget

Trigger / action and 'autoclose'

Trigger / action and 'autoclose'

Comment

Comment

Comment

Comment

Comment

Comment