Ad Widget

**cyber** · 27-08-2024, 12:18

In general it should work, I have plenty of such logfile triggers, which close based on nodata().
So show us, what you did, maybe someone can point out your mistake?

**leascherf** · 27-08-2024, 15:52

Originally posted by cyber

In general it should work, I have plenty of such logfile triggers, which close based on nodata().
So show us, what you did, maybe someone can point out your mistake?

Hi, thanks for your response

**cyber** · 28-08-2024, 11:50

ok .. here we have pics of 2 items, but what about the trigger?

**leascherf** · 28-08-2024, 15:42

Originally posted by cyber

ok .. here we have pics of 2 items, but what about the trigger?

Sorry for that. I swear that I uploaded the trigger image.
I resolved the problem using on this way. I don't know is this is the better way to make this

The only problem I have with this way I have it set up is when more than one event of the same type arrives at the same time and it doesn't solve the problem for me.

**cyber** · 29-08-2024, 10:05

This does not work...
first of ... some basics... Recovery expression is ADDITIONAL expression that has to become true AFTER main expression has become FALSE...
You see, your main expression is always true, last value is not 0 always... So no matter, what you write into recovery, it will not be considered. For me looks kind of weird to compare a log item to 0 anyway, but in general it works...
So you need to add that nodata() condition into main expression.

Code:

... and nodata(/host/item,1m)=1

this will close the problem after 1 minute if there is no new data... You have check interval at 5 minutes, so it pretty sure, that after a minute ther eis no new data ..

Second piece of basics: Nodata is recalculated in every 30s, so using 1s there does nto work... (from docs: sec period should not be less than 30 seconds because the history syncer process calculates this function only every 30 seconds.). so use at least 30s there or longer.

**leomichielsen** · 12-12-2024, 09:13

I have the following trigger in a template but adding the nodata part gives an error. I cannot find out how to fix this.
logeventid(/Windows agent active/eventlog[Application,,,,8888,,skip])=1 and nodata(/{HOSTNAME}/(eventlog[Application,,,,8888,,skip]),1m)=1
cyber can you enlighten me?

**cyber** · 12-12-2024, 14:20

{HOSTNAME} ? replace it with "Windows agent active"

**cyber** · 13-12-2024, 13:18

you have one extra ( there

Code:

 nodata(/Windows agent active/-->  (  <--- eventlog[Application,,,,8888,,skip]),1m)

**Moebius** · 24-09-2025, 17:44

I have a similar case.

Some error events will be written to a log file. A trigger will fire for any of such log entries.
At midnight the file will be deleted or replaced by a blank file.
The problems will be closed manually, but if not closed manually, they should auto-close when the file is deleted (or at a given time of the day).

I checked if the problem is resolved when the log file is deleted or replaced by an empty file, but it does not.
cyber Any idea on how can I achieve the above? I can make the new file start with an arbitrary string.

Thank you!

Edit: That was probably a trivial question... I will try and use the starting string in the newly created file for the trigger resolution. Something like "CLOSE-ALL-PROBLEMS" should do.

**cyber** · 25-09-2025, 10:49

Originally posted by Moebius

Edit: That was probably a trivial question... I will try and use the starting string in the newly created file for the trigger resolution. Something like "CLOSE-ALL-PROBLEMS" should do.

yep.. if you pick up all lines from file anyway and this will be the only one not triggering anything, then finding this will recalculate trigger to false and you can close all the matching events..

Ad Widget

Auto close event logs trigger issue

Auto close event logs trigger issue

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment