I hope I can be clear enough in detailing this situation.
Scenario Description
Zabbix collects a value every minute.
- The last value collected must be between 70% greater or 70% lesser than the average of the 5 previously collected values.
- If the last value is greater than or lesser then 70%, an alert must be issued
With this in mind, let's consider two different scenarios:
Scenario 1
Consider this snippet of Last 500 values:
| Index | Timestamp | Value |
|---|---|---|
| 1 | 2024-08-09 11:16:20 | 203 |
| 2 | 2024-08-09 11:15:20 | 214 |
| 3 | 2024-08-09 11:14:20 | 183 |
| 4 | 2024-08-09 11:13:20 | 213 |
| 5 | 2024-08-09 11:12:20 | 202 |
| 6 | 2024-08-09 11:11:20 | 224 |
If I consider the row 1 as my last value:
- Last Value = 203
- Average of the previous 5 Values = (214+183+213+202+224)/5 = 207.2
- Variation between
Last ValueandAverageis calculated by:
( (Last Value - (Average + 0.0001)) / (Average + 0.0001) ) * 100
So, the variation is -2.02%. And this should not raise an alert.
Scenario 2
Consider this other snippet of Last 500 values:
| Index | Timestamp | Value |
|---|---|---|
| 1 | 2024-08-09 11:16:20 | 231 |
| 2 | 2024-08-09 11:15:20 | 130 |
| 3 | 2024-08-09 11:14:20 | 110 |
| 4 | 2024-08-09 11:13:20 | 108 |
| 5 | 2024-08-09 11:12:20 | 90 |
| 6 | 2024-08-09 11:11:20 | 95 |
If I consider the row 1 as my last value:
- Last Value = 231
- Average of the previous 5 Values = (130+110+108+90+95)/5 = 106.6
- Variation between
Last ValueandAverageis calculated by:
( (Last Value - (Average + 0.0001)) / (Average + 0.0001) ) * 100
So, the variation is 116.69%. And this MUST raise an alert.
Alert Configuration
The relevant fields of the trigger configuration form are:
Operational Data
In this field, I am trying to understand how the values are read by a Zabbix trigger.
L1: {ITEM.VALUE1}, L2: {ITEM.VALUE2}, L3: {ITEM.VALUE3}, L4: {ITEM.VALUE4}, L5: {ITEM.VALUE5}
My goal is to elaborate meaningful sentences to my users with these values.
Expression
(((last(/ino01-logserver/createdByMin.FTBNotifications) - (avg(/ino01-logserver/createdByMin.FTBNotifications,#5:now-1m)+0.0001))/(avg(/ino01-logserver/createdByMin.FTBNotifications,#5:now-1m)+0.0001))*100 > {$FTB.MAX.PERCENT})
or
avg(/ino01-logserver/createdByMin.FTBNotifications,#5:now-1m) = 0
Please note that:
- Adding
0.0001avoidsDIV/0error; - A row of 5 ZEROS must also raise an alert, that's why the logical expression has an
OR.
The malformed alert
Telegram sent me this alert:
High Event 2348341 at logserver.utl.inovaxio
〰️
✏️ No último minuto a quantidade de Webhooks FTBK variou mais que 70% (para mais ou para menos) do que a média dos últimos 5 minutos anteriores, OU a média dos últimos 5 minutos está ZERADA
Operational data: L1: 258, L2: 258, L3: 258, L4: 258, L5: UNKNOWN
⏰ Started at 08:50:20 on 2024.08.03
Operational data
Either {ITEM.VALUE<1-9>} or {ITEM.LASTVALUE<1-9>} shows always the same value. What I understood is that {ITEM.VALUE<1-9>} or {ITEM.LASTVALUE<1-9>} would be defined according to the precedence in the Expression field. So, considering Scenario 2 table:
| ITEM.VALUE | Expression Item |
|---|---|
| ITEM.VALUE1 | last(/ino01-logserver/createdByMin.FTBNotifications) |
| ITEM.VALUE2 | avg(/ino01-logserver/createdByMin.FTBNotifications,#5:now-1m) |
| ITEM.VALUE3 | avg(/ino01-logserver/createdByMin.FTBNotifications,#5:now-1m) |
| ITEM.VALUE4 | avg(/ino01-logserver/createdByMin.FTBNotifications,#5:now-1m) |
| ITEM.VALUE5 | UNKNOWN |
So in this experience, {ITEM.VALUE1} should be different than {ITEM.VALUE2}, {ITEM.VALUE3} and {ITEM.VALUE5}. I was already expecting {ITEM.VALUE5} to fail.
Question: Why all {ITEM.VALUE} are equal?
Expression
I'm receiving much more alerts than I was expecting. So, maybe I haven't correctly translated my model to the Expression syntax.
Question: Have I misused last and/or avg functions?
