zabbix触发器表达式
触发器使用逻辑表达式来评估通过item获取的数据是处于哪种状态,ite
触发器中的表达式使用很灵活,我们可以创建一个复杂的逻辑测试监控,触发器表达式形式如下:
{
{主机:key.函数(参数)} <表达式> 常数
Functions函数
触发器functions完整链接:
| FUNCTION | |||
|---|---|---|---|
| Description | Parameters | Comments | |
| abschange | |||
| The amount of absolute difference between last and previous values. | Supported value types: float, int, str, text, log For example: (previous value;last value=abschange) 1;5=4 3;1=2 0;-2.5=2.5 For strings returns: 0 - values are equal 1 - values differ | ||
| avg (sec|#num,
|
|||
| Average value of an item within the defined evaluation period. | sec or #num - evaluation period in seconds or in latest collected values (preceded by a hash mark) time_shift (optional) - evaluation point is moved the number of seconds back in time | Supported value types: float, int Examples: ⇒ avg(#5) → average value for the five latest values ⇒ avg(1h) → average value for an hour ⇒ avg(1h,1d) → average value for an hour one day ago. The time_shift parameter is supported since Zabbix 1.8.2. It is useful when there is a need to compare the current average value with the average value time_shift seconds back. |
|
| band (<sec|#num>,mask,
|
|||
| Value of “bitwise AND” of an item value and mask. | sec (ignored, equals #1) or #num(optional) - the Nth most recent value mask (mandatory) - 64-bit unsigned integer (0 - 18446744073709551615) time_shift (optional) - see avg() | Supported value types: int Take note that #num works differently here than with many other functions (see last()). Although the comparison is done in a bitwise manner, all the values must be supplied and are returned in decimal. For example, checking for the 3rd bit is done by comparing to 4, not 100. Examples: ⇒ band(,12)=8 or band(,12)=4 → 3rd or 4th bit set, but not both at the same time ⇒ band(,20)=16 → 3rd bit not set and 5th bit set. This function is supported since Zabbix 2.2.0. |
|
| change | |||
| The amount of difference between last and previous values. | Supported value types: float, int, str, text, log For example: (previous value;last value=change) 1;5=+4 3;1=-2 0;-2.5=-2.5 For strings returns: 0 - values are equal 1 - values differ | ||
| count (sec|#num,
|
|||
| Number of values within the defined evaluation period. | sec or #num - evaluation period in seconds or in latest collected values (preceded by a hash mark) pattern (optional) - required pattern operator (optional) Supported operators: eq - equal ne - not equal gt - greater ge - greater or equal lt - less le - less or equal like - matches if contains pattern (case-sensitive) band - bitwise AND regexp - case sensitive match of regular expression given in pattern iregexp - case insensitive match of regular expression given in pattern Note that: eq (default), ne, gt, ge, lt, le, band, regexp, iregexp are supported for integer items eq (default), ne, gt, ge, lt, le, regexp, iregexp are supported for float items like (default), eq, ne, regexp, iregexpare supported for string, text and log items time_shift (optional) - see avg() |
Supported value types: float, integer, string, text, log Float items match with the precision of 0.000001. With band as third parameter, the second pattern parameter can be specified as two numbers, separated by '/': number_to_compare_with/mask. count() calculates “bitwise AND” from the value and the mask and compares the result to number_to_compare_with. If the result of “bitwise AND” is equal to number_to_compare_with, the value is counted. If number_to_compare_with and mask are equal, only the mask need be specified (without '/'). With regexp or iregexp as third parameter the second pattern parameter can be an ordinary or global(starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after '.'. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit. Examples: ⇒ count(10m) → number of values for last 10 minutes ⇒ count(10m,"error",eq) → number of values for last 10 minutes that equal 'error' ⇒ count(10m,12) → number of values for last 10 minutes that equal '12' ⇒ count(10m,12,gt) → number of values for last 10 minutes that are over '12' ⇒ count(#10,12,gt) → number of values within last 10 values that are over '12' ⇒ count(10m,12,gt,1d) → number of values for preceding 10 minutes up to 24 hours ago that were over '12' ⇒ count(10m,6/7,band) → number of values for last 10 minutes having '110' (in binary) in the 3 least significant bits. ⇒ count(10m,,,1d) → number of values for preceding 10 minutes up to 24 hours ago The #num parameter is supported since Zabbix 1.6.1. The time_shift parameter and string operators are supported since Zabbix 1.8.2. The band operator is supported since Zabbix 2.2.0. The regexp, iregexp operators are supported since Zabbix 3.2.0. |
|
| date | |||
| Current date in YYYYMMDD format. | Supported value types: any Example of returned value: 20150731 | ||
| dayofmonth | |||
| Day of month in range of 1 to 31. | Supported value types: any This function is supported since Zabbix 1.8.5. | ||
| dayofweek | |||
| Day of week in range of 1 to 7 (Mon - 1, Sun - 7). | Supported value types: any | ||
| delta (sec|#num,
|
|||
| Difference between the maximum and minimum values within the defined evaluation period ('max()' minus 'min()'). | sec or #num - evaluation period in seconds or in latest collected values specified (preceded by a hash mark) time_shift (optional) - see avg() | Supported value types: float, int The time_shift parameter is supported since Zabbix 1.8.2. |
|
| diff | |||
| Checking if last and previous values differ. | Supported value types: float, int, str, text, log Returns: 1 - last and previous values differ 0 - otherwise | ||
| forecast (sec|#num,
|
|||
| Future value, max, min, delta or avg of the item. | sec or #num - evaluation period in seconds or in latest collected values specified (preceded by a hash mark) time_shift (optional) - see avg() time - forecasting horizon in seconds fit (optional) - function used to fit historical data Supported fits: linear - linear function polynomialN - polynomial of degree N (1 <= N <= 6) exponential - exponential function logarithmic - logarithmic function power - power function Note that: linear is default, polynomial1 is equivalent to linear mode (optional) - demanded output Supported modes: value - value (default) max - maximum min - minimum delta - max-min avg - average Note that: value estimates item value at the moment now + time max, min, delta and avg investigate item value estimate on the interval between now and now + time |
Supported value types: float, int If value to return is larger than 999999999999.9999 or less than -999999999999.9999, return value is cropped to 999999999999.9999 or -999999999999.9999 correspondingly. Becomes not supported only if misused in expression (wrong item type, invalid parameters), otherwise returns -1 in case of errors. Examples: ⇒ forecast(#10,,1h) → forecast of item value after one hour based on last 10 values ⇒ forecast(1h,,30m) → forecast of item value after 30 minutes based on last hour data ⇒ forecast(1h,1d,12h) → forecast of item after 12 hours based on one hour one day ago ⇒ forecast(1h,,10m,exponential) → forecast of item value after 10 minutes based on last hour data and exponential function ⇒ forecast(1h,,2h,polynomial3,max) → forecast of maximum value item can reach in next two hours based on last hour data and cubic (third degree) polynomial ⇒ forecast(#2,,-20m) → estimate the value of an item which was 20 minutes ago based on last two values (this can be more precise than using last() or prev(), especially if item is updated rarely, say, once an hour) This function is supported since Zabbix 3.0.0. Negative time values are supported since Zabbix 3.0.6 and 3.2.2. See also additional information on predictive trigger functions. |
|
| fuzzytime (sec) | |||
| Checking how much an item timestamp value differs from the Zabbix server time. | sec - seconds | Supported value types: float, int Returns: 0 - if difference between item timestamp value and Zabbix server timestamp is over T seconds 1 - otherwise. Usually used with system.localtime to check that local time is in sync with local time of Zabbix server. Can be used also with vfs.file.time[/path/file,modify] key to check that file didn't get updates for long time. Example: ⇒ fuzzytime(60)=0 → detect a problem if time difference is over 60 seconds | |
| iregexp (
|
|||
| This function is a non case-sensitive analogue of regexp(). | see regexp() | Supported value types: str, log, text | |
| last (<sec|#num>,
|
|||
| The most recent value. | sec (ignored, equals #1) or #num(optional) - the Nth most recent value time_shift (optional) - see avg() | Supported value types: float, int, str, text, log Take note that #num works differently here than with many other functions. For example: last() is always equal to last(#1) last(#3) - third most recent value (not three latest values) Zabbix does not guarantee exact order of values if more than two values exist within one second in history. The #num parameter is supported since Zabbix 1.6.2. The time_shift parameter is supported since Zabbix 1.8.2. |
|
| logeventid (
|
|||
| Checking if event ID of the last log entry matches a regular expression. | pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style or POSIX extended regular expression before Zabbix 3.4. | Supported value types: log Returns: 0 - does not match 1 - matches This function is supported since Zabbix 1.8.5. | |
| logseverity | |||
| Log severity of the last log entry. | Supported value types: log Returns: 0 - default severity N - severity (integer, useful for Windows event logs: 1 - Information, 2 - Warning, 4 - Error, 7 - Failure Audit, 8 - Success Audit, 9 - Critical, 10 - Verbose). Zabbix takes log severity from Information field of Windows event log. | ||
| logsource (
|
|||
| Checking if log source of the last log entry matches parameter. | pattern (optional) - required string | Supported value types: log Returns: 0 - does not match 1 - matches Normally used for Windows event logs. For example, logsource("VMware Server"). | |
| max (sec|#num,
|
|||
| Highest value of an item within the defined evaluation period. | sec or #num - evaluation period in seconds or in latest collected values (preceded by a hash mark) time_shift (optional) - see avg() | Supported value types: float, int The time_shift parameter is supported since Zabbix 1.8.2. |
|
| min (sec|#num,
|
|||
| Lowest value of an item within the defined evaluation period. | sec or #num - evaluation period in seconds or in latest collected values (preceded by a hash mark) time_shift (optional) - see avg() | Supported value types: float, int The time_shift parameter is supported since Zabbix 1.8.2. |
|
| nodata (sec) | |||
| Checking for no data received. | sec - evaluation period in seconds. The period should not be less than 30 seconds because the timer process calculates this function only every 30 seconds. nodata(0) is disallowed. | Supported value types: any Returns: 1 - if no data received during the defined period of time 0 - otherwise Note that this function will display an error if, within the period of the 1st parameter: - there's no data and Zabbix server was restarted - there's no data and maintenance was completed - there's no data and the item was added or re-enabled Errors are displayed in the Info column in trigger configuration. | |
| now | |||
| Number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). | Supported value types: any | ||
| percentile (sec|#num,
|
|||
| P-th percentile of a period, where P (percentage) is specified by the third parameter. | sec or #num - evaluation period in seconds or in latest collected values (preceded by a hash mark) time_shift (optional) - see avg() percentage - a floating-point number between 0 and 100 (inclusive) with up to 4 digits after the decimal point | Supported value types: float, int This function is supported since Zabbix 3.0.0. | |
| prev | |||
| Previous value. | Supported value types: float, int, str, text, log Returns the same as last(#2). | ||
| regexp (
|
|||
| Checking if the latest (most recent) value matches regular expression. | pattern (optional) - regular expression, Perl Compatible Regular Expression (PCRE) style or POSIX extended regular expression before Zabbix 3.4 sec or #num (optional) - evaluation period in seconds or in latest collected values (preceded by a hash mark). In this case, more than one value may be processed. | Supported value types: str, text, log Returns: 1 - found 0 - otherwise If more than one value is processed, '1' is returned if there is at least one matching value. This function is case-sensitive. | |
| str (
|
|||
| Finding a string in the latest (most recent) value. | pattern (optional) - required string sec or #num (optional) - evaluation period in seconds or in latest collected values (preceded by a hash mark). In this case, more than one value may be processed. | Supported value types: str, text, log Returns: 1 - found 0 - otherwise If more than one value is processed, '1' is returned if there is at least one matching value. This function is case-sensitive. | |
| strlen (<sec|#num>,
|
|||
| Length of the latest (most recent) value in characters (not bytes). | sec (ignored, equals #1) or #num(optional) - the Nth most recent value time_shift (optional) - see avg() | Supported value types: str, text, log Take note that #num works differently here than with many other functions. Examples: ⇒ strlen()(is equal to strlen(#1)) → length of the latest value ⇒ strlen(#3) → length of the third most recent value ⇒ strlen(,1d) → length of the most recent value one day ago. This function is supported since Zabbix 1.8.4. |
|
| sum (sec|#num,
|
|||
| Sum of collected values within the defined evaluation period. | sec or #num - evaluation period in seconds or in latest collected values (preceded by a hash mark) time_shift (optional) - see avg() | Supported value types: float, int The time_shift parameter is supported since Zabbix 1.8.2. |
|
| time | |||
| Current time in HHMMSS format. | Supported value types: any Example of returned value: 123055 | ||
| timeleft (sec|#num,
|
|||
| Time in seconds needed for an item to reach a specified threshold. | sec or #num - evaluation period in seconds or in latest collected values specified (preceded by a hash mark) time_shift (optional) - see avg() threshold - value to reach fit (optional) - see forecast() | Supported value types: float, int If value to return is larger than 999999999999.9999, return value is cropped to 999999999999.9999. Returns 999999999999.9999 if threshold cannot be reached. Becomes not supported only if misused in expression (wrong item type, invalid parameters), otherwise returns -1 in case of errors. Examples: ⇒ timeleft(#10,,0) → time until item value reaches zero based on last 10 values ⇒ timeleft(1h,,100) → time until item value reaches 100 based on last hour data ⇒ timeleft(1h,1d,0) → time until item value reaches 0 based on one hour one day ago ⇒ timeleft(1h,,200,polynomial2) → time until item reaches 200 based on last hour data and assumption that item behaves like quadratic (second degree) polynomial This function is supported since Zabbix 3.0.0. Unit symbols in threshold parameter are supported since Zabbix 3.0.6 and 3.2.2. See also additional information on predictive trigger functions. |
Function参数
| FUNCTION CALL | 描述 |
|---|---|
| sum(600) | 600秒内的总和 |
| sum(#5) | 最新5个值的和 |
last函数使用不同的参数将会得到不同的值,#2表示倒数第二新的数据。例如从老到最新值为1,2,3,4,5,6,7,8,9,10,last(#2)得到的值为9,last(#9)得到的值为2。last()就是倒数第一个值。
AVG,count,last,min和max函数还支持额外的参数,以秒为单位的参数time_shift(时间偏移量)。例如avg(1h,1d),那么将会获取到昨天的1小时内的平均数据。
[warning]备注:触发器表达式需要使用history历史数据来计算,如果history不可用(time_shift时间偏移量参数无法使用),因此history记录一定要保留长久一点,至少要保留需要用的记录。[/warning]
触发器表达式可以使用单位符号来替代大数字,例如5m替代300,或者1d替代86400,1k替代1024字节等等。
操作符
3.2及以上版本
| PRIORITY | OPERATOR | DEFINITION | Notes for unknown values |
|---|---|---|---|
| 1 | - | Unary minus | -Unknown → Unknown |
| 2 | not | Logical NOT | not Unknown → Unknown |
| 3 | ***** | Multiplication | 0 ***** Unknown → Unknown (yes, Unknown, not 0 - to not lose Unknown in arithmetic operations) 1.2 ***** Unknown → Unknown |
| / | Division | Unknown / 0 → error Unknown / 1.2 → Unknown 0.0 / Unknown → Unknown | |
| 4 | + | Arithmetical plus | 1.2 + Unknown → Unknown |
| - | Arithmetical minus | 1.2 - Unknown → Unknown | |
| 5 | < | Less than. The operator is defined as: A<B ⇔ (A<B-0.000001) since Zabbix 3.4.9 A<B ⇔ (A≤B-0.000001) before Zabbix 3.4.9 | 1.2 < Unknown → Unknown |
| <= | Less than or equal to. The operator is defined as: A<=B ⇔ (A≤B+0.000001) since Zabbix 3.4.9 A<=B ⇔ (A<B+0.000001) before Zabbix 3.4.9 | Unknown <= Unknown → Unknown | |
| > | More than. The operator is defined as: A>B ⇔ (A>B+0.000001) since Zabbix 3.4.9 A>B ⇔ (A≥B+0.000001) before Zabbix 3.4.9 | ||
| >= | More than or equal to. The operator is defined as: A>=B ⇔ (A≥B-0.000001) since Zabbix 3.4.9 A>=B ⇔ (A>B-0.000001) before Zabbix 3.4.9 | ||
| 6 | = | Is equal. The operator is defined as: A=B ⇔ (A≥B-0.000001) and (A≤B+0.000001) since Zabbix 3.4.9 A=B ⇔ (A>B-0.000001) and (A<B+0.000001) before Zabbix 3.4.9 | |
| <> | Not equal. The operator is defined as: A<>B ⇔ (A<B-0.000001) or (A>B+0.000001) since Zabbix 3.4.9 A<>B ⇔ (A≤B-0.000001) or (A≥B+0.000001) before Zabbix 3.4.9 | ||
| 7 | and | Logical AND | 0 and Unknown → 0 1 and Unknown → Unknown Unknown and Unknown → Unknown |
| 8 | or | Logical OR | 1 or Unknown → 1 0 or Unknown → Unknown Unknown or Unknown → Unknown |
3.0及其以下版本
| 优先级 | 操作 | 定义 |
|---|---|---|
| 1 | / | 除 |
| 2 | * | 乘 |
| 3 | - | 减 |
| 4 | + | 加 |
| 5 | < | 小于. 用法如下: A<B ⇔ (A<=B-0.000001) |
| 6 | > | 大于. 用法如下: A>B ⇔ (A>=B+0.000001) |
| 7 | # | 不等于.用法如下: A#B ⇔ (A<=B-0.000001) | (A>=B+0.000001) |
| 8 | = | 等于. 用法如下: A=B ⇔ (A>B-0.000001) & (A<B+0.000001) |
| 9 | & | 逻辑与 |
| 10 | | | 逻辑或 |
触发器示例
示例一
触发器名称: Processor load is too high on www.zabbix.com
表达式:
{www.zabbix.com:system.cpu.load[all,avg1].last(0)}>5说明:
www.zabbix.com host名称
system.cpu.load[all,avg1] item值,一段时间的cpu平均负载值
last(o) 最新值
>5 大于5如上所示,www.zabbix.com这个主机的监控项,最新的CPU负载值如果大于5,那么表达式会返回true,这样一来触发器状态就改变为“problem”了。
示例二
触发器名称:www.zabbix.com is overloaded
表达式:
{www.zabbix.com:system.cpy.load[all,avg1].last(0)}>5|{www.zabbix.com:system.cpu.load[all,avg1].last(10m)}>2当前cpu负载大于5或者最近10分内的cpu负载大于2,那么表达式将会返回true。
示例三
触发器名称:/etc/passwd has been changed
表达式:
{www.zabbix.com:vfs.file.cksum[/etc/passwd].diff(0)}>0/etc/passwd最新的checksum与上一次获取到的checksum不同,表达式将会返回true. 我们可以使用同样的方法监控系统重要的配置文件,例如/etc/passwd,/etc/inetd.conf等等
示例四
触发器名称:Someone is downloading a large file from the Internet
表达式:
{www.zabbix.com:net.if.in[eth0,bytes].min(5m)}>100k当前主机网卡eth0最后5分钟内接收到的流量超过100KB那么触发器表达式将会返回true
示例五
触发器名称:Both nodes of clustered SMTP server are down
表达式:
{smtp1.zabbix.com:net.tcp.service[smtp].last(0)}=0&{smtp2.zabbix.com:net.tcp.service[smtp].last(0)}=0当smtp1.zabbix.com和smtp2.zabbix.com两台主机上的SMTP服务器都离线,表达式将会返回true.
示例六
触发器名称:Zabbix agent needs to be upgraded
表达式:
{zabbix.zabbix.com:agent.version.str("beta8")}=1如果当前zabbix agent版本包含beta8(假设当前版本为1.0beta8),这个表达式会返回true.
示例七
触发器名称:Server is unreachable
表达式:
{zabbix.zabbix.com:icmpping.count(30m,0)}>5最近30分钟zabbix.zabbix.com这个主机超过5次不可达。
示例八
触发器名称:No heartbeats within last 3 minutes
表达式:
{zabbix.zabbix.com:tick.nodata(3m)}=1tick为Zabbix trapper类型,首先我们要定义一个类型为Zabbix trapper,key为tick的item。我们使用zabbix_sender定期发送数据给tick,如果在3分钟内还未收到zabbix_sender发送来的数据,那么表达式返回一个true,与此同时触发器的值变为“PROBLEM”。
示例九
触发器名称:CPU activity at night time
表达式:
{zabbix:system.cpu.load[all,avg1].min(5m)}>2&{zabbix:system.cpu.load[all,avg1].time(0)}>000000&{zabbix:system.cpu.load[all,avg1].time(0)}<060000只有在凌晨0点到6点整,最近5分钟内cpu负载大于2,表达式返回true,触发器的状态变更为“problem”
示例十
触发器名称:Check if client local time is in sync with Zabbix server time
表达式:
{MySQL_DB:system.localtime.fuzzytime(10)}=0主机MySQL_DB当前服务器时间如果与zabbix server之间的时间相差10秒以上,表达式返回true,触发器状态改变为“problem”
示例十一
触发器名称:Comparing average load today with average load of the same time yesterday (使用 time_shift 时间偏移量参数).
表达式:
{server:system.cpu.load.avg(1h)}/{server:system.cpu.load.avg(1h,1d)}>2一小时内平均值超过昨天同一时刻的两倍十触发告警
Hysteresis(迟滞,滞后)
简单的说触发器状态转变为problem需要一个条件,从problem转变回来还需要一个条件才行。一般触发器只需要不满足触发器为problem条件即可恢复。
有时候触发器需要使用不同的条件来表示不同的状态,举个官网很有趣的例子:机房温度正常稳定为15-20°,当温度超过20°,触发器值为problem,直到温度低于15°才会接触警报,异常会解除。
在zabbix3.2及其以上版本配置触发器时就可以设置Problem expression和Recovery expression
示例一
触发器名称:Temperature in server room is too high
表达式
({TRIGGER.VALUE}=0&{server:temp.last()}>20)|({TRIGGER.VALUE}=1&{server:temp.last()}>15)如上有两个小括号,前面一个表示触发异常的条件,后面一个表达式的反面表示解除异常的条件。
示例二
触发器名称:Free disk space is too low
Problem: 最近5分钟剩余磁盘空间小于10GB。(异常)
Recovery: 最近10分钟剩余磁盘空间大于40GB。(恢复)
简单说便是一旦剩余空间小于10G就触发异常,然后接下来剩余空间必须大于40G才能解除这个异常,就算你剩余空间达到了39G(不在报警条件里)那也是没用的。
表达式:
({TRIGGER.VALUE}=0&{server.vfs.fs.size[/,free].max(5m)}<10G)|({TRIGGER.VALUE}=1&{server:vfs.fs.size[/,free].min(10m)}<40G)示例三
触发器名称:接口[{#PORT}]入口带宽占用率过高
表达式:
({TRIGGER.VALUE}=0 and {7750_ip_route:port_bandwidth_in_ratio[{#PORT}].last()}>75) or ({TRIGGER.VALUE}=1 and {7750_ip_route:port_bandwidth_in_ratio[{#PORT}].max(3600)}>60)监控项原型如下:
| 名称 | 键值 | 间隔 | 历史记录 | 趋势 | 类型 | 应用集 | 状态 | |
|---|---|---|---|---|---|---|---|---|
| [接口{#PORT}]入口带宽占用率 | port_bandwidth_in_ratio[{#PORT}] | 5m | 7d | 90d | Service Robot采集器 | ML_APPLICATION, 接口带宽占用率 | 已启用 |
告警条件:入口带宽占用率(>75%)
恢复条件:一个小时入口带宽占用率(<60%)
参考:
http://www.ttlsa.com/zabbix/zabbix-trigger-expression/
https://www.zabbix.com/documentation/3.4/manual/config/triggers