Automate pattern detection in collected values. The new find history function provides multiple ways of searching for patterns in collected data.

Previously, Zabbix had multiple trigger functions for detecting string patterns – str, regexp, and iregexp. To simplify the history analysis, they were merged into a single Find function.

In Zabbix 5.4 release, we have introduced the new trigger expression syntax and added over 60 new trigger functions. One of them is the new Find history function, which:

  • Can detect a string or a regex pattern
  • Can check for a number that is greater/less than the given value
  • Has 10 different operators, including equal/not equal, bitwise AND, greater/less, like (for strings), regexp/iregexp
  • Returns 1 if a match is found and 0 otherwise
  • Supports time shift parameter for moving the evaluation period back in time

In the video, we explain how to detect log errors using the find function.

How to detect log errors with the find function:

  1. Open the item configuration form
  2. Select type Zabbix agent (active)
  3. For the key field, press Select and choose log from the item list
  4. Specify the path to the log file in square brackets
  5. Set the type of information to Log
  6. The recommended update interval is 1 second
  7. Save the item and switch to the host triggers
  8. Press Create a new trigger
  9. Enter name and set trigger severity
  10. Open the expression builder
    10.1. Select the log item
    10.2. Selec the find function
    10.3. Define the evaluation time period, the operator, the search pattern, and the result
  11. Save the trigger
Tips and best practices:
  • To avoid storing excessive log data, define your items with the required pattern
  • Triggers can analyze values over time or over number of previous values
  • With regexp or iregexp operators, the fourth parameter can be a Global regular expression 
  • Like and regexp operators are case sensitive, while iregexp is case-insensitive
  • Triggers using the find function are recalculated only when new values are received
Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x