I use Zabbix to scan my logs for certain keywords. This is my item (configured as an active check, type of information "log"):
logrt["/var/log/syslog(\.[0-9])?$","(error|fail|failed)",,,skip]
And the corresponding trigger:
{HOSTNAME:logrt["/var/log/syslog(\.[0-9])?$","(error|fail|failed)",,,skip]
.iregexp("(error|fail|failed)")}=1
and {HOSTNAME:logrt["/var/log/syslog(\.[0-9])?$","(error|fail|failed)",,,skip].nodata(10)}=0
The problem is that I get two emails each time there's a log entry that triggers the pattern, one is the PROBLEM message and the second is the RESOLVED message.
Does anyone know how to get rid of the second (RESOLVED) message and receive only one message instead?
