Triggers based on log items are limited.
Regular expression 'winlog-eventid-adaccmgmt-filter' is used to filter desired event ids (~15 of them). This works properly.
Trigger expression example:
This trigger means "if last eventlog has id 4719 or 4722 or 4738". It activates as expected. But then it stays in 'true' state until some non-desired eventid is collected. That also prevents use of "recovery expression" since "problem expression" has to go first to 'false'.
Adding 'nodata' function to problem expression does not help and also has drawbacks. With 'logeventid() ... and ... nodata(30)=1' it requires that no new eventlog happens in 30sec. In real world many events could be generated in 30 seconds (Zabbix recommends 30s as minimum for 'nodata').
Goal I would like to achieve is — activate trigger on new, desired logeventid then "autoclose" trigger as soon as possible since new important events could come.
Three possible solutions comes to my mind.
1. Invent 'age()' trigger function that returns number of seconds since last item is collected. Problem expression could then be written with logic "if last eventlog item contains these log event ids and event is not older than".
2. Add described "age" as an parameter to logeventid() function.
3. In trigger configuration, within "Ok event generation" options, add "Autoclose". Code behind this could also evaluate age of activated trigger and close it if it is older than x seconds.
Third one covers most wide usage and could make many triggers clean, simple and even possible. IMHO it is one of most discussed topics on forum - how to achieve "notify-only-once" logic instead of two steps in "ok ->problem ->ok". It would be used for various snmp items, checksums, changing interface status, ...