Overview
The expressions used in triggers are very flexible. You can use them to create complex logical tests regarding monitored statistics.
A simple useful expression might look like:
{<server>:<key>.<function>(<parameter>)}<operator><constant>
Functions
Trigger functions allow to reference the collected values, current time and other factors.
A complete list of
supported functions
is available.
Function parameters
Most of numeric functions accept the number of seconds as a parameter.
You may use the prefix
#
to specify that a parameter has a different meaning:
FUNCTION CALLMEANING
sum(600)
Sum of all values within 600 seconds
sum(#5)
Sum of the last 5 values
The function
last
uses a different meaning for values when prefixed with the hash mark - it makes it choose the n-th previous value, so given the values 3, 7, 2, 6, 5 (from most recent to least recent),
last(#2)
would return
7
and
last(#5)
would return
5
.
Several functions support an additional, second
time_shift
parameter. This parameter allows to reference data from a period of time in the past. For example,
avg(1h,1d)
will return the average value for an hour one day ago.
You can use the supported
unit symbols
in trigger expressions, for example '5m' (minutes) instead of '300' seconds or '1d' (day) instead of '86400' seconds. '1K' will stand for '1024' bytes.
Operators
The following operators are supported for triggers
(in descending priority of execution)
:
PRIORITYOPERATORDEFINITION
Unary minus
Logical NOT
Multiplication
Division
Arithmetical plus
Arithmetical minus
Less than. The operator is defined as:
A<B ⇔ (A<B-0.000001) since Zabbix 3.0.17
A<B ⇔ (A≤B-0.000001) before Zabbix 3.0.17
not
,
and
and
or
operators are case-sensitive and must be in lowercase. They also must be surrounded by spaces or parentheses.
All operators, except unary
-
and
not
, have left-to-right associativity. Unary
-
and
not
are non-associative (meaning
-(-1)
and
not (not 1)
should be used instead of
--1
and
not not 1
).
Evaluation result:
<
,
<=
,
>
,
>=
,
=
,
<>
operators shall yield '1' in the trigger expression if the specified relation is true and '0' if it is false;
and
shall yield '1' if both of its operands compare unequal to '0'; otherwise, it yields '0';
or
shall yield '1' if either of its operands compare unequal to '0'; otherwise, it yields '0';
The result of the logical negation operator
not
is '0' if the value of its operand compares unequal to '0'; '1' if the value of its operand compares equal to '0'.
Value caching
Values required for trigger evaluation are cached by Zabbix server. Because of this trigger evaluation causes a higher database load for some time after the server restarts. The value cache is not cleared when item history values are removed (either manually or by housekeeper), so the server will use the cached values until they are older than the time periods defined in trigger functions or server is restarted.
Examples of triggers
Example 1
Processor load is too high on
www.zabbix.com
{www.zabbix.com:system.cpu.load[all,avg1].last()}>5
'www.zabbix.com:system.cpu.load[all,avg1]' gives a short name of the monitored parameter. It specifies that the server is 'www.zabbix.com' and the key being monitored is 'system.cpu.load[all,avg1]'. By using the function 'last()', we are referring to the most recent value. Finally, '>5' means that the trigger is in the PROBLEM state whenever the most recent processor load measurement from www.zabbix.com is greater than 5.
Example 2
www.zabbix.com
is overloaded
{www.zabbix.com:system.cpu.load[all,avg1].last()}>5 or {www.zabbix.com:system.cpu.load[all,avg1].min(10m)}>2
The expression is true when either the current processor load is more than 5 or the processor load was more than 2 during last 10 minutes.
Example 3
/etc/passwd has been changed
Use of function diff:
{www.zabbix.com:vfs.file.cksum[/etc/passwd].diff()}=1
The expression is true when the previous value of checksum of /etc/passwd differs from the most recent one.
Similar expressions could be useful to monitor changes in important files, such as /etc/passwd, /etc/inetd.conf, /kernel, etc.
Example 4
Someone is downloading a large file from the Internet
Use of function min:
{www.zabbix.com:net.if.in[eth0,bytes].min(5m)}>100K
The expression is true when number of received bytes on eth0 is more than 100 KB within last 5 minutes.
Example 5
Both nodes of clustered SMTP server are down
Note use of two different hosts in one expression:
{smtp1.zabbix.com:net.tcp.service[smtp].last()}=0 and {smtp2.zabbix.com:net.tcp.service[smtp].last()}=0
The expression is true when both SMTP servers are down on both smtp1.zabbix.com and smtp2.zabbix.com.
Example 6
Zabbix agent needs to be upgraded
Use of function str():
{zabbix.zabbix.com:agent.version.str("beta8")}=1
The expression is true if Zabbix agent has version beta8 (presumably 1.0beta8).
Example 7
Server is unreachable
{zabbix.zabbix.com:icmpping.count(30m,0)}>5
The expression is true if host “zabbix.zabbix.com” is unreachable more than 5 times in the last 30 minutes.
Example 8
No heartbeats within last 3 minutes
Use of function nodata():
{zabbix.zabbix.com:tick.nodata(3m)}=1
To make use of this trigger, 'tick' must be defined as a Zabbix
trapper
item. The host should periodically send data for this item using zabbix_sender. If no data is received within 180 seconds, the trigger value becomes PROBLEM.
Note
that 'nodata' can be used for any item type.
Example 9
CPU activity at night time
Use of function time():
{zabbix:system.cpu.load[all,avg1].min(5m)}>2 and {zabbix:system.cpu.load[all,avg1].time()}>000000 and {zabbix:system.cpu.load[all,avg1].time()}<060000
The trigger may change its status to true, only at night (00:00-06:00) time.
Example 10
Check if client local time is in sync with Zabbix server time
Use of function fuzzytime():
{MySQL_DB:system.localtime.fuzzytime(10)}=0
The trigger will change to the problem state in case when local time on server MySQL_DB and Zabbix server differs by more than 10 seconds.
Example 11
Comparing average load today with average load of the same time yesterday (using a second
time_shift
parameter).
{server:system.cpu.load.avg(1h)}/{server:system.cpu.load.avg(1h,1d)}>2
This expression will fire if the average load of the last hour tops the average load of the same hour yesterday more than two times.
Example 12
Using the value of another item to get a trigger threshold:
{Template PfSense:hrStorageFree[{#SNMPVALUE}].last()}<{Template PfSense:hrStorageSize[{#SNMPVALUE}].last()}*0.1
The trigger will fire if the free storage drops below 10 percent.
Example 13
Using
evaluation result
to get the number of triggers over a threshold:
({server1:system.cpu.load[all,avg1].last()}>5) + ({server2:system.cpu.load[all,avg1].last()}>5) + ({server3:system.cpu.load[all,avg1].last()}>5)>=2
The trigger will fire if at least two of the triggers in the expression are over 5.
Hysteresis
Sometimes a trigger must have different conditions for different states. For example, we would like to define a trigger which would become PROBLEM when server room temperature is higher than 20C while it should stay in the state until temperature will not become lower than 15C.
In order to do this, we define the following trigger:
Example 1
Temperature in server room is too high
({TRIGGER.VALUE}=0 and {server:temp.last()}>20) or
({TRIGGER.VALUE}=1 and {server:temp.last()}>15)
Note the use of a macro {TRIGGER.VALUE}. The macro returns current trigger value.
Example 2
Free disk space is too low
Problem: it is less than 10GB for last 5 minutes
Recovery: it is more than 40GB for last 10 minutes
({TRIGGER.VALUE}=0 and {server:vfs.fs.size[/,free].max(5m)}<10G) or
({TRIGGER.VALUE}=1 and {server:vfs.fs.size[/,free].min(10m)}<40G)
Note use of {TRIGGER.VALUE} macro. The macro returns current trigger value.
