conditional expression of zabbix

conditional expression of zabbix

hrk1l2x

2 minute read

Conditional expression of Zabbix trigger

environment

  • Zabbix 3.4.10

regexp(), iregexp()

  • check if latest data match regular explession.
  • parameter is regular explession of POSIX.

iregexp(“WARNING”, 10(sec)[#3])

((({xxx:log[/var/log/messages,"error"].iregexp(error)})=1) and
(({xxx:log[/var/log/messages,"error"].nodata(60)})=0))

if you get log “WARNING”, trigger will be executed.

{Template_xxx:check_xxx[{Conditional expression}].iregexp("WARNING")}<>0

count

premise: the update of items are 1 minute interval.

in the recent 7 times, trigger will be activated if there are more than 80 (%) of CPU usage over 3 times (37 minutes).

{Template OS Windows:system.cpu.util[,system,avg1].count(#7, 80, "gt")}>3

dayofweek()

from Mon(18:00~) to Fri(24:00), if you get log “WARNING”, trigger will be executed.

({Template_xxx:check_xxx[{Conditional expression}].str("WARNING")}=1) and
({Template_xxx:check_xxx[{Conditional expression}].dayofweek()}<6) and
(({Template_xxx:check_xxx[{Conditional expression}].dayofweek()}=1) and
({Template_xxx:check_xxx[{Conditional expression}].time(0)}<180000)=0)

form 6:00 to 6:30, check CPU Load Average.

({Template_xxx:system.cpu.load[percpu,avg5].avg(20m)}>5) and
(({Template_xxx:system.cpu.load[percpu,avg5].time(0)}<060000) or
({Template_xxx:system.cpu.load[percpu,avg5].time(0)}>063000))

regular expression

error_message 1 ยป WARNING|CRITICAL|UNKNOWN|ERROR [result is true]

if you get @error_message trigger will be executed.

{Template_xxx:check_xxx[{Conditional expression}].iregexp(@error_message)}<>0

ping

icmpping

ping 3 times each monitoring interval(60 sec), return 1 if there is even one response within 0.5 sec, otherwise return 0. fail over 3 times (60sec *3).

{Template Module ICMP Ping:icmpping.max(#3)}=0

icmppingloss

trigger will be executed if the loss packet rate ($ICMP_LOSS_WARN) continue 20~99% over 5 minutes.

{Template Module ICMP Ping:icmppingloss.min(5m)}>{$ICMP_LOSS_WARN} and {Template Module ICMP Ping:icmppingloss.min(5m)}<100

web monitoring

{template_xxx:web.test.rspcode[Web-Monitoring_xxx,http://{HOST.IP}/_hc.html].last(#5)}&lt;&gt;200

trigger dependency

  • trigger_WARNING threshold 80%
  • trigger_CRITICAL threshold 90%

at the time recovery, the trigger will be noticed duplicately. in such a case, you can use trigger expression.

trigger_WARNING depends CRITICAL that is set CRITICAL tirigger in the setting fileld of WARNING trigger dependency.

comments powered by Disqus