On the Zabbix server (version 3.2.1) there is a data element of the type log, which is collected every 30 seconds. This log contains the events: "Connection disconnection" and "Connection establishment".

A trigger has been created for this item that works. But very often these 2 events go in a row. That is, the connection fell and immediately restored. 2 messages from zabbix come at once. How to rewrite the trigger so that it works only if there is a "Connection disconnection" event, and the "Connection establishment" events do not follow?

Problem expression

{TRANSFILE_2017:log["D:\FC_Run.log"," --- ",windows-1251].str(Разрыв)}=1

Recovery expression

 {TRANSFILE_2017:log["D:\FC_Run.log"," --- ",windows-1251].str(Установка)}=1

Tags: None

    1 answer 1

    You can do this:

     {TRANSFILE_2017:log["D:\FC_Run.log"," --- ",windows-1251].str(Разрыв,#2)}=1 and {TRANSFILE_2017:log["D:\FC_Run.log"," --- ",windows-1251].str(Разрыв)}=0 and {TRANSFILE_2017:log["D:\FC_Run.log"," --- ",windows-1251].str(Установка)}=0

    If there is a gap in the last two messages, but the gap is not in the most recent message (that is, the gap in the penultimate message), and there is no installation in the last message.

    • But there may be a situation when the gap is one and you need to react to it. - igaraev
    • one
      Did not quite understand your thought. Can you give an example of logs to which to react? - amoskaliov
    • 05/10/2019 08:46:33 I 20000009 003: --- Establishing a connection to XXX Server, 7772. Server version 22.21.20. 05/10/2019 08:46:33 E 40000009 004: --- Disconnection from XXX Server. - igaraev
    • It is necessary to react if after the event the gap has passed more than one minute, and there is no installation event. - igaraev