[ZBX-5738] Trigger with count function on the log item is not resetting Created: 2012 Oct 25  Updated: 2017 May 30  Resolved: 2012 Oct 25

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Server (S)
Affects Version/s: 2.0.3
Fix Version/s: None

Type: Incident report Priority: Major
Reporter: Arli Assignee: Unassigned
Resolution: Won't fix Votes: 0
Labels: logmonitoring, triggerfunctions, triggers
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Zabbix Server 2.0.3 (revision 30485)



 Description   

I have an active agent item with type Log and update interval 60 seconds.
Item key looks like this
log[/var/log/zabbix/syslog/alert.log]

I tried to create trigger using count function to notify me if there are any new records on that logfile, so I used following trigger expression:

{LINUX:log[/var/log/zabbix/syslog/alert.log].count(60)}

>0
When created this, trigger remained in unknown state (trigger just added - no status update so far). And became true when first row was logged to the logfile but did not reset itself after minute had passed and nothing else was logged. It actually remained true for at least couple of hours (didn't had time to wait any longer).
I also tried another notation (found on http://www.zabbix.com/documentation/2.0/manual/config/triggers/expression Example 7) on the time field but the result was the same.

{LINUX:log[/var/log/zabbix/syslog/alert.log].count(1m)}

>0

For a workaround I tried to create a calculated item that would count log entries by minute and that worked as expected
count("log[/var/log/zabbix/syslog/alert.log]",60)
count("log[/var/log/zabbix/syslog/alert.log]",1m)
In both cases item value went back to 0 when no records was logged

So it seems to me that the count function just doesn't work with the log item in the trigger expression.



 Comments   
Comment by richlv [ 2012 Oct 25 ]

non-time based trigger functions make trigger recalculate only when it receives data. if you want to check for value existence, use nodata()

Comment by Arli [ 2012 Oct 25 ]

Ok, maybe it was a bad example. My idea in longer term was to create triggers like "more than 10 errors per minute". But I guess that can be also done by combining count with nodata.
Maybe there could be also note on the docs that says that "non-time based trigger functions make trigger recalculate only when it receives data". Currently there is similar note for 1.8 "Time based functions" that also says they get recalculated every 30 seconds, but nothing for the non-time based, so I assumed they all get recalculated every 30 seconds.

Comment by richlv [ 2012 Oct 25 ]

that's already mentioned...

both of
http://www.zabbix.com/documentation/1.8/manual/config/triggers
http://www.zabbix.com/documentation/2.0/manual/config/triggers

contain :
"Trigger status (expression) is recalculated every time Zabbix server receives new value, if this value is part of this expression."
"Trigger status (the expression) is recalculated every time Zabbix server receives a new value that is part of the expression."

respectively

Generated at Sat Mar 30 10:23:59 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.