All functions listed here are supported in:
Some general notes on function parameters:
<
>
/host/key
and (sec|#num)<:time shift>
parameters must never be quoted/host/key
is a common mandatory first parameter for the functions referencing the host item history(sec|#num)<:time shift>
is a common second parameter for the functions referencing the host item history, where:
Some general notes on function parameters:
<
>
/host/key
and (sec|#num)<:time shift>
parameters must never be quotedThe amount of difference between the previous and latest value.
Supported value types: Float, Integer, String, Text, Log.
For strings returns: 0 - values are equal; 1 - values differ.
Parameters: see common parameters.
Comments:
+4
-2
-2.5
Examples:
The number of changes between adjacent values within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
For non-numeric value types, the mode parameter is ignored.
Examples:
changecount(/host/key,1w) #the number of value changes for the last week until now
changecount(/host/key,#10,"inc") #the number of value increases (relative to the adjacent value) among the last 10 values
changecount(/host/key,24h,"dec") #the number of value decreases (relative to the adjacent value) for the last 24 hours until now
The number of values within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
operators
:pattern
pattern
Comments:
pattern
parameter can be specified as two numbers, separated by '/': number_to_compare_with/mask. count() calculates "bitwise AND" from the value and the mask and compares the result to number_to_compare_with. If the result of "bitwise AND" is equal to number_to_compare_with, the value is counted.pattern
parameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after '.'. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.Examples:
count(/host/key,10m) #the values for the last 10 minutes until now
count(/host/key,10m,"like","error") #the number of values for the last 10 minutes until now that contain 'error'
count(/host/key,10m,,12) #the number of values for the last 10 minutes until now that equal '12'
count(/host/key,10m,"gt",12) #the number of values for the last 10 minutes until now that are over '12'
count(/host/key,#10,"gt",12) #the number of values within the last 10 values until now that are over '12'
count(/host/key,10m:now-1d,"gt",12) #the number of values between 24 hours and 10 minutes and 24 hours ago from now that were over '12'
count(/host/key,10m,"bitand","6/7") #the number of values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits
count(/host/key,10m:now-1d) #the number of values between 24 hours and 10 minutes and 24 hours ago from now
The number of unique values within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
operators
:pattern
pattern
Comments:
pattern
parameter can be specified as two numbers, separated by '/': number_to_compare_with/mask. countunique() calculates "bitwise AND" from the value and the mask and compares the result to number_to_compare_with. If the result of "bitwise AND" is equal to number_to_compare_with, the value is counted.pattern
parameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after '.'. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.Examples:
countunique(/host/key,10m) #the number of unique values for the last 10 minutes until now
countunique(/host/key,10m,"like","error") #the number of unique values for the last 10 minutes until now that contain 'error'
countunique(/host/key,10m,,12) #the number of unique values for the last 10 minutes until now that equal '12'
countunique(/host/key,10m,"gt",12) #the number of unique values for the last 10 minutes until now that are over '12'
countunique(/host/key,#10,"gt",12) #the number of unique values within the last 10 values until now that are over '12'
countunique(/host/key,10m:now-1d,"gt",12) #the number of unique values between 24 hours and 10 minutes and 24 hours ago from now that were over '12'
countunique(/host/key,10m,"bitand","6/7") #the number of unique values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits
countunique(/host/key,10m:now-1d) #the number of unique values between 24 hours and 10 minutes and 24 hours ago from now
Find a value match within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Returns: 1 - found; 0 - otherwise.
Parameters:
operators
:pattern
(case-sensitive)pattern
pattern
operator
is regexp, iregexp.Comments:
pattern
parameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from the global regular expression settings.Example:
find(/host/key,10m,"like","error") #find a value that contains 'error' within the last 10 minutes until now
The first (the oldest) value within the defined evaluation period.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
See also last().
Example:
Check how much the passive agent time differs from the Zabbix server/proxy time.
Supported value types: Float, Integer.
Returns: 1 - difference between the passive item value (as timestamp) and Zabbix server/proxy timestamp (the clock of value collection) is less than or equal to T seconds; 0 - otherwise.
Parameters:
Comments:
vfs.file.time[/path/file,modify]
key to check that the file did not get updates for long time;fuzzytime(/Host/system.localtime,60s)=0 or last(/Host/trap)<>0
.Example:
The most recent value.
Supported value types: Float, Integer, String, Text, Log.
Parameters:
Comments:
last()
is always equal to last(#1)
; last(#3)
- the third most recent value (not three latest values);Example:
last(/host/key) #retrieve the last value
last(/host/key,#2) #retrieve the previous value
last(/host/key,#1) <> last(/host/key,#2) #the last and previous values differ
Check if the event ID of the last log entry matches a regular expression.
Supported value types: Log.
Returns: 0 - does not match; 1 - matches.
Parameters:
Log severity of the last log entry.
Supported value types: Log.
Returns: 0 - default severity; N - severity (integer, useful for Windows event logs: 1 - Information, 2 - Warning, 4 - Error, 7 - Failure Audit, 8 - Success Audit, 9 - Critical, 10 - Verbose).
Parameters:
Zabbix takes log severity from the Information field of Windows event log.
Check if log source of the last log entry matches a regular expression.
Supported value types: Log.
Returns: 0 - does not match; 1 - matches.
Parameters:
Normally used for Windows event logs.
Example:
Check if there has been a monotonous decrease in values.
Supported value types: Integer.
Returns: 1 - if all elements in the time period continuously decrease; 0 - otherwise.
Parameters:
Example:
monodec(/Host1/system.swap.size[all,free],60s) + monodec(/Host2/system.swap.size[all,free],60s) + monodec(/Host3/system.swap.size[all,free],60s) #calculate in how many hosts there has been a decrease in free swap size
Check if there has been a monotonous increase in values.
Supported value types: Integer.
Returns: 1 - if all elements in the time period continuously increase; 0 - otherwise.
Parameters:
Example:
monoinc(/Host1/system.localtime,#3,"strict")=0 #check if the system local time has been increasing consistently
Check for no data received.
Supported value types: Integer, Float, Character, Text, Log.
Returns: 1 - if no data received during the defined period of time; 0 - otherwise.
Parameters:
nodata(/host/key,0)
is disallowed.Comments:
nodata(/host/key,5m,"strict")
; in this case the function will fire as soon as the evaluation period (five minutes) without data has past.The P-th percentile of a period, where P (percentage) is specified by the third parameter.
Supported value types: Float, Integer.
Parameters:
The per-second average rate of the increase in a monotonically increasing counter within the defined time period.
Supported value types: Float, Integer.
Parameters:
Functionally corresponds to 'rate' of PromQL.
Example:
rate(/host/key,30s) #if the monotonic increase over 30 seconds is 20, this function will return 0.67.
FUNCTION | |||
---|---|---|---|
Description | Function-specific parameters | Comments | |
baselinedev (/host/key,data period:time shift,season_unit,num_seasons) | |||
Returns the number of deviations (by stddevpop algorithm) between the last data period and the same data periods in preceding seasons. | data period - the data gathering period within a season, defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year), must be equal to or less than season Time shift - the time period offset (see examples) season_unit - duration of one season (h, d, w, M, y), cannot be smaller than data period num_seasons - number of seasons to evaluate |
Examples: => baselinedev(/host/key,1d:now/d,"M",6) → calculating the number of standard deviations (population) between the previous day and the same day in the previous 6 months. If the date doesn't exist in a previous month, the last day of the month will be used (Jul,31 will be analysed against Jan,31, Feb, 28,... June, 30). => baselinedev(/host/key,1h:now/h,"d",10) → calculating the number of standard deviations (population) between the previous hour and the same hours over the period of ten days before yesterday. |
|
baselinewma (/host/key,data period:time shift,season_unit,num_seasons) | |||
Calculates the baseline by averaging data from the same timeframe in multiple equal time periods ('seasons') using the weighted moving average algorithm. | data period - the data gathering period within a season, defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year), must be equal to or less than season Time shift - the time period offset, defines the end of data gathering time frame in seasons (see examples) season_unit - duration of one season (h, d, w, M, y), cannot be smaller than data period num_seasons - number of seasons to evaluate |
Examples: => baselinewma(/host/key,1h:now/h,"d",3) → calculating baseline based on the last full hour within a 3-day period that ended yesterday. If "now" is Monday 13:30, the data for 12:00-12:59 on Friday, Saturday, and Sunday will be analyzed. => baselinemwa(/host/key,2h:now/h,"d",3) → calculating baseline based on the last two hours within a 3-day period that ended yesterday. If "now" is Monday 13:30, the data for 10:00-11:59 on Friday, Saturday, and Sunday will be analyzed. => baselinewma(/host/key,1d:now/d,"M",4) → calculating baseline based on the last days of previous 4 months, excluding the last full month. If today is September 1st, the data for July 31st, June 30th, May 31st, April 30th will be analyzed. |
|
change (/host/key) | |||
The amount of difference between the previous and latest value. | Supported value types: float, int, str, text, log For strings returns: 0 - values are equal 1 - values differ Example: => change(/host/key)>10 Numeric difference will be calculated, as seen with these incoming example values ('previous' and 'latest' value = difference): '1' and '5' = +4 '3' and '1' = -2 '0' and '-2.5' = -2.5 See also: abs for comparison |
||
changecount (/host/key,(sec|#num)<:time shift>,<mode>) | |||
Number of changes between adjacent values within the defined evaluation period. | See common parameters. mode (optional; must be double-quoted) Supported modes :all - count all changes (default) dec - count decreases inc - count increases |
Supported value types: float, int, str, text, log For non-numeric value types, mode parameter is ignored. Examples: => changecount(/host/key, 1w) → number of value changes for the last week until now => changecount(/host/key,#10,"inc") → number of value increases (relative to the adjacent value) among the last 10 values => changecount(/host/key,24h,"dec") → number of value decreases (relative to the adjacent value) for the last 24 hours until now |
|
count (/host/key,(sec|#num)<:time shift>,<operator>,<pattern>) | |||
Number of values within the defined evaluation period. | See common parameters. operator (optional; must be double-quoted) Supported operators :eq - equal (default) ne - not equal gt - greater ge - greater or equal lt - less le - less or equal like - matches if contains pattern (case-sensitive) bitand - bitwise AND regexp - case-sensitive match of the regular expression given in pattern iregexp - case-insensitive match of the regular expression given in pattern pattern (optional) - required pattern (string arguments must be double-quoted) |
Supported value types: float, integer, string, text, log Float items match with the precision of 2.22e-16; if database is not upgraded the precision is 0.000001. With bitand as the third parameter, the fourth pattern parameter can be specified as two numbers, separated by '/': number_to_compare_with/mask. count() calculates "bitwise AND" from the value and the mask and compares the result to number_to_compare_with. If the result of "bitwise AND" is equal to number_to_compare_with, the value is counted.If number_to_compare_with and mask are equal, only the mask need be specified (without '/'). With regexp or iregexp as the third parameter, the fourth pattern parameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after '.'. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.Examples: => count(/host/key,10m) → number of values for the last 10 minutes until now => count(/host/key,10m,"like","error") → number of values for the last 10 minutes until now that contain 'error' => count(/host/key,10m,,12) → number of values for the last 10 minutes until now that equal '12' => count(/host/key,10m,"gt",12) → number of values for the last 10 minutes until now that are over '12' => count(/host/key,#10,"gt",12) → number of values within the last 10 values until now that are over '12' => count(/host/key,10m:now-1d,"gt",12) → number of values between 24 hours and 10 minutes and 24 hours ago from now that were over '12' => count(/host/key,10m,"bitand","6/7") → number of values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits. => count(/host/key,10m:now-1d) → number of values between 24 hours and 10 minutes and 24 hours ago from now |
|
countunique (/host/key,(sec|#num)<:time shift>,<operator>,<pattern>) | |||
Number of unique values within the defined evaluation period. | See common parameters. operator (optional; must be double-quoted) Supported operators :eq - equal (default) ne - not equal gt - greater ge - greater or equal lt - less le - less or equal like - matches if contains pattern (case-sensitive) bitand - bitwise AND regexp - case-sensitive match of the regular expression given in pattern iregexp - case-insensitive match of the regular expression given in pattern pattern (optional) - required pattern (string arguments must be double-quoted) |
Supported value types: float, integer, string, text, log Float items match with the precision of 2.22e-16; if database is not upgraded the precision is 0.000001. With bitand as the third parameter, the fourth pattern parameter can be specified as two numbers, separated by '/': number_to_compare_with/mask. count() calculates "bitwise AND" from the value and the mask and compares the result to number_to_compare_with. If the result of "bitwise AND" is equal to number_to_compare_with, the value is counted.If number_to_compare_with and mask are equal, only the mask need be specified (without '/'). With regexp or iregexp as the third parameter, the fourth pattern parameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after '.'. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.Examples: => countunique(/host/key,10m) → number of unique values for the last 10 minutes until now => countunique(/host/key,10m,"like","error") → number of unique values for the last 10 minutes until now that contain 'error' => countunique(/host/key,10m,"gt",12) → number of unique values for the last 10 minutes until now that are over '12' => countunique(/host/key,#10,"gt",12) → number of unique values within the last 10 values until now that are over '12' => countunique(/host/key,10m:now-1d,"gt",12) → number of unique values between 24 hours and 10 minutes and 24 hours ago from now that were over '12' => countunique(/host/key,10m,"bitand","6/7") → number of unique values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits. => countunique(/host/key,10m:now-1d) → number of unique values between 24 hours and 10 minutes and 24 hours ago from now |
|
find (/host/key,<(sec|#num)<:time shift>>,<operator>,<pattern>) | |||
Find a value match. | See common parameters. sec or #num (optional) - defaults to the latest value if not specified operator (optional; must be double-quoted) Supported operators :eq - equal (default) ne - not equal gt - greater ge - greater or equal lt - less le - less or equal like - value contains the string given in pattern (case-sensitive)bitand - bitwise AND regexp - case-sensitive match of the regular expression given in pattern iregexp - case-insensitive match of the regular expression given in pattern pattern - required pattern (string arguments must be double-quoted); Perl Compatible Regular Expression (PCRE) regular expression if operator is regexp, iregexp. |
Supported value types: float, int, str, text, log Returns: 1 - found 0 - otherwise If more than one value is processed, '1' is returned if there is at least one matching value. With regexp or iregexp as the third parameter, the fourth pattern parameter can be an ordinary or global (starting with '@') regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings.Example: => find(/host/key,10m,"like","error") → find a value that contains 'error' within the last 10 minutes until now |
|
first (/host/key,sec<:time shift>) | |||
The first (the oldest) value within the defined evaluation period. | See common parameters. | Supported value types: float, int, str, text, log Example: => first(/host/key,1h) → retrieve the oldest value within the last hour until now See also last(). |
|
fuzzytime (/host/key,sec) | |||
Checking how much the passive agent time differs from the Zabbix server/proxy time. | See common-parameters. | Supported value types: float, int Returns: 1 - difference between the passive item value (as timestamp) and Zabbix server/proxy timestamp is less than or equal to T seconds 0 - otherwise Usually used with the 'system.localtime' item to check that local time is in sync with the local time of Zabbix server. Note that 'system.localtime' must be configured as a passive check. Can be used also with vfs.file.time[/path/file,modify] key to check that file didn't get updates for long time. Example: => fuzzytime(/host/key,60s)=0 → detect a problem if the time difference is over 60 seconds This function is not recommended for use in complex trigger expressions (with multiple items involved), because it may cause unexpected results (time difference will be measured with the most recent metric), e.g. in fuzzytime(/Host/system.localtime,60s)=0 or last(/Host/trap)<>0 |
|
last (/host/key,<#num<:time shift>>) | |||
The most recent value. | See common parameters. #num (optional) - the Nth most recent value |
Supported value types: float, int, str, text, log Take note that a hash-tagged time period (#N) works differently here than with many other functions. For example: last() is always equal to last(#1) last(#3) - third most recent value (not three latest values) Zabbix does not guarantee the exact order of values if more than two values exist within one second in history. Example: => last(/host/key) → retrieve the last value => last(/host/key,#2) → retrieve the previous value => last(/host/key,#1) <> last(/host/key,#2) → the last and previous values differ See also first(). |
|
logeventid (/host/key,<#num<:time shift>>,<pattern>) | |||
Checking if event ID of the last log entry matches a regular expression. | See common parameters. #num (optional) - the Nth most recent value pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style (string arguments must be double-quoted). |
Supported value types: log Returns: 0 - does not match 1 - matches |
|
logseverity (/host/key,<#num<:time shift>>) | |||
Log severity of the last log entry. | See common parameters. #num (optional) - the Nth most recent value |
Supported value types: log Returns: 0 - default severity N - severity (integer, useful for Windows event logs: 1 - Information, 2 - Warning, 4 - Error, 7 - Failure Audit, 8 - Success Audit, 9 - Critical, 10 - Verbose). Zabbix takes log severity from Information field of Windows event log. |
|
logsource (/host/key,<#num<:time shift>>,<pattern>) | |||
Checking if log source of the last log entry matches a regular expression. | See common parameters. #num (optional) - the Nth most recent value pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style (string arguments must be double-quoted). |
Supported value types: log Returns: 0 - does not match 1 - matches Normally used for Windows event logs. For example, logsource("VMware Server"). |
|
monodec (/host/key,(sec|#num)<:time shift>,<mode>) | |||
Check if there has been a monotonous decrease in values. | See common parameters. mode (must be double-quoted) - weak (every value is smaller or the same as the previous one; default) or strict (every value has decreased) |
Supported value types: int Returns 1 if all elements in the time period continuously decrease, 0 otherwise. Example: => monodec(/Host1/system.swap.size[all,free],60s) + monodec(/Host2/system.swap.size[all,free],60s) + monodec(/Host3/system.swap.size[all,free],60s) - calculate in how many hosts there has been a decrease in free swap size |
|
monoinc (/host/key,(sec|#num)<:time shift>,<mode>) | |||
Check if there has been a monotonous increase in values. | See common parameters. mode (must be double-quoted) - weak (every value is bigger or the same as the previous one; default) or strict (every value has increased) |
Supported value types: int Returns 1 if all elements in the time period continuously increase, 0 otherwise. Example: => monoinc(/Host1/system.localtime,#3,"strict")=0 - check if system local time has been increasing consistently |
|
nodata (/host/key,sec,<mode>) | |||
Checking for no data received. | See common parameters. sec period should not be less than 30 seconds because the history syncer process calculates this function only every 30 seconds. nodata(/host/key,0) is disallowed. mode - if set to strict (double-quoted), this function will be insensitive to proxy availability (see comments for details). |
All value types are supported. Returns: 1 - if no data received during the defined period of time 0 - otherwise Since Zabbix 5.0, the 'nodata' triggers monitored by proxy are, by default, sensitive to proxy availability - if proxy becomes unavailable, the 'nodata' triggers will not fire immediately after a restored connection, but will skip the data for the delayed period. Note that for passive proxies suppression is activated if connection is restored more than 15 seconds and no less than 2 & ProxyUpdateFrequency seconds later. For active proxies suppression is activated if connection is restored more than 15 seconds later. To turn off sensitiveness to proxy availability, use the third parameter, e.g.: nodata(/host/key,5m,"strict"); in this case the function will work the same as before 5.0.0 and fire as soon as the evaluation period (five minutes) without data has past. Note that this function will display an error if, within the period of the 1st parameter: - there's no data and Zabbix server was restarted - there's no data and maintenance was completed - there's no data and the item was added or re-enabled Errors are displayed in the Info column in trigger configuration. This function may not work properly if there are time differences between Zabbix server, proxy and agent. See also: Time synchronization requirement. |
|
percentile (/host/key,(sec|#num)<:time shift>,percentage) | |||
P-th percentile of a period, where P (percentage) is specified by the third parameter. | See common parameters. percentage - a floating-point number between 0 and 100 (inclusive) with up to 4 digits after the decimal point |
Supported value types: float, int | |
rate (/host/key,sec<:time shift>) | |||
Per-second average rate of the increase in a monotonically increasing counter within the defined time period. | See common parameters. | Supported value types: float, int Functionally corresponds to 'rate' of PromQL. Example: => rate(/host/key,30s) → If the monotonic increase over 30 seconds is 20, this function will return 0.67. |
|
trendavg (/host/key,time period:time shift) | |||
Average of trend values within the defined time period. | time period - the time period (minimum '1h'), defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year).Time shift - the time period offset (see examples) |
Examples: => trendavg(/host/key,1h:now/h) → average for the previous hour (e.g. 12:00-13:00) => trendavg(/host/key,1h:now/h-1h) → average for two hours ago (11:00-12:00) => trendavg(/host/key,1h:now/h-2h) → average for three hours ago (10:00-11:00) => trendavg(/host/key,1M:now/M-1y) → average for the previous month a year ago |
|
trendcount (/host/key,time period:time shift) | |||
Number of successfully retrieved trend values within the defined time period. | time period - the time period (minimum '1h'), defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year).Time shift - the time period offset (see examples) |
Examples: => trendcount(/host/key,1h:now/h) → count for the previous hour (e.g. 12:00-13:00) => trendcount(/host/key,1h:now/h-1h) → count for two hours ago (11:00-12:00) => trendcount(/host/key,1h:now/h-2h) → count for three hours ago (10:00-11:00) => trendcount(/host/key,1M:now/M-1y) → count for the previous month a year ago |
|
trendmax (/host/key,time period:time shift) | |||
The maximum in trend values within the defined time period. | time period - the time period (minimum '1h'), defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year).Time shift - the time period offset (see examples) |
Examples: => trendmax(/host/key,1h:now/h) → maximum for the previous hour (e.g. 12:00-13:00) => trendmax(/host/key,1h:now/h) - trendmin(/host/key,1h:now/h) → calculate the difference between the maximum and minimum values (trend delta) for the previous hour (12:00-13:00) => trendmax(/host/key,1h:now/h-1h) → maximum for two hours ago (11:00-12:00) => trendmax(/host/key,1h:now/h-2h) → maximum for three hours ago (10:00-11:00) => trendmax(/host/key,1M:now/M-1y) → maximum for the previous month a year ago |
|
trendmin (/host/key,time period:time shift) | |||
The minimum in trend values within the defined time period. | time period - the time period (minimum '1h'), defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year).Time shift - the time period offset (see examples) |
Examples: => trendmin(/host/key,1h:now/h) → minimum for the previous hour (e.g. 12:00-13:00) => trendmin(/host/key,1h:now/h) - trendmin(/host/key,1h:now/h) → calculate the difference between the maximum and minimum values (trend delta) for the previous hour (12:00-13:00) => trendmin(/host/key,1h:now/h-1h) → minimum for two hours ago (11:00-12:00) => trendmin(/host/key,1h:now/h-2h) → minimum for three hours ago (10:00-11:00) => trendmin(/host/key,1M:now/M-1y) → minimum for the previous month a year ago |
|
trendstl (/host/key,eval period:time shift,detection period,season,<deviations>,<devalg>,<s_window>) | |||
Returns an anomaly rate - a decimal value between 0 and 1 that is ((the number of anomaly values in detect period) / (total number of values in detect period). | eval period - the time period that must be decomposed (minimum '1h'), defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year).Time shift - the time period offset (see examples) detection period - the time period starting from the end of eval period for which anomalies are calculated (minimum '1h', cannot be longer than eval period), defined as <N><time unit> where N - number of time unitstime unit - h (hour), d (day), w (week).season - the shortest time period where seasonality (repeating patterns) is expected (minimum '2h', cannot be longer than eval period, number of entries in the eval period must be greater than the two times of the resulting frequency (season/h)), defined as <N><time unit> where N - number of time unitstime unit - h (hour), d (day), w (week).deviations - the number of deviations (calculated with devalg) to count as anomaly (can be decimal), (must be greater than or equal to 1, default is 3) devalg (must be double-quoted) - deviation algorithm, can be stddevpop, stddevsamp or mad (default) s_window - the span (in lags) of the loess window for seasonal extraction (default is 10 * number of entries in eval period + 1) |
Examples: => trendstl(/host/key,100h:now/h,10h,2h) → analysing the last 100 hours of trend data, find the anomalies rate for the previous 10 hours of that period, expecting the periodicity to be 2h, the remainder series values of the evaluation period are considered anomalies if they reach the value of 3 deviations of the MAD of that remainder series => trendstl(/host/key,100h:now/h-10h,100h,2h,2.1,"mad") → analysing the period of previous 100 hours of trend data, starting counting 10 hours ago find the anomalies rate for that entire period expecting the periodicity to be 2h, the remainder series values of the evaluation period are considered anomalies if they reach the value of 2,1 deviations of the MAD of that remainder series => trendstl(/host/key,100d:now/d-1d,10d,1d,4,,10) → analysing previous 100 days of trend data starting from a day ago, find the anomalies rate for the period of last 10d of that period, expecting the periodicity to be 1d, the remainder series values of the evaluation period are considered anomalies if they reach the value of 4 deviations of the MAD of that remainder series, overriding the default span of the loess window for seasonal extraction of "10 * number of entries in eval period + 1" with the span of 10 lags => trendstl(/host/key,1M:now/M-1y,1d,2h,,"stddevsamp") → minimum for the previous month a year ago analysing previous month of trend data starting from a year ago, find the anomalies rate of the last day of that period expecting the periodicity to be 2h, the remainder series values of the evaluation period are considered anomalies if they reach the value of 3 deviation of the sample standard deviation of that remainder series |
|
trendsum (/host/key,time period:time shift) | |||
Sum of trend values within the defined time period. | time period - the time period (minimum '1h'), defined as <N><time unit> whereN - number of time unitstime unit - h (hour), d (day), w (week), M (month) or y (year).Time shift - the time period offset (see examples) |
Examples: => trendsum(/host/key,1h:now/h) → sum for the previous hour (e.g. 12:00-13:00) => trendsum(/host/key,1h:now/h-1h) → sum for two hours ago (11:00-12:00) => trendsum(/host/key,1h:now/h-2h) → sum for three hours ago (10:00-11:00) => trendsum(/host/key,1M:now/M-1y) → sum for the previous month a year ago |