4 History functions

All functions listed here are supported in:

Some general notes on function parameters:

  • Function parameters are separated by a comma
  • Optional function parameters (or parameter parts) are indicated by < >
  • Function-specific parameters are described with each function
  • /host/key and (sec|#num)<:time shift> parameters must never be quoted
Common parameters
  • /host/key is a common mandatory first parameter for the functions referencing the host item history
  • (sec|#num)<:time shift> is a common second parameter for the functions referencing the host item history, where:
    • sec - maximum evaluation period in seconds (time suffixes can be used), or
    • #num - maximum evaluation range in latest collected values (if preceded by a hash mark)
    • time shift (optional) allows to move the evaluation point back in time. See more details on specifying time shift.

History functions

FUNCTION
DescriptionFunction-specific parametersComments
baselinedev (/host/key,data period:time shift,season_unit,num_seasons)
Returns the number of deviations (by stddevpop algorithm) between the last data period and the same data periods in preceding seasons.data period - the data gathering period within a season, defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year), must be equal to or less than season

Time shift - the time period offset (see examples)

season_unit - duration of one season (h, d, w, M, y), cannot be smaller than data period

num_seasons - number of seasons to evaluate
Examples:
=> baselinedev(/host/key,1d:now/d,”M”,6) → calculating the number of standard deviations (population) between the previous day and the same day in the previous 6 months. If the date doesn’t exist in a previous month, the last day of the month will be used (Jul,31 will be analysed against Jan,31, Feb, 28,… June, 30).
=> baselinedev(/host/key,1h:now/h,”d”,10) → calculating the number of standard deviations (population) between the previous hour and the same hours over the period of ten days before yesterday.
baselinewma (/host/key,data period:time shift,season_unit,num_seasons)
Calculates the baseline by averaging data from the same timeframe in multiple equal time periods (‘seasons’) using the weighted moving average algorithm.data period - the data gathering period within a season, defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year), must be equal to or less than season

Time shift - the time period offset, defines the end of data gathering time frame in seasons (see examples)

season_unit - duration of one season (h, d, w, M, y), cannot be smaller than data period

num_seasons - number of seasons to evaluate
Examples:
=> baselinewma(/host/key,1h:now/h,”d”,3) → calculating baseline based on the last full hour within a 3-day period that ended yesterday. If “now” is Monday 13:30, the data for 12:00-12:59 on Friday, Saturday, and Sunday will be analyzed.
=> baselinemwa(/host/key,2h:now/h,”d”,3) → calculating baseline based on the last two hours within a 3-day period that ended yesterday. If “now” is Monday 13:30, the data for 10:00-11:59 on Friday, Saturday, and Sunday will be analyzed.
=> baselinewma(/host/key,1d:now/d,”M”,4) → calculating baseline based on the last days of previous 4 months, excluding the last full month. If today is September 1st, the data for July 31st, June 30th, May 31st, April 30th will be analyzed.
change (/host/key)
The amount of difference between the previous and latest value.Supported value types: float, int, str, text, log

For strings returns:
0 - values are equal
1 - values differ

Example:
=> change(/host/key)>10

Numeric difference will be calculated, as seen with these incoming example values (‘previous’ and ‘latest’ value = difference):
‘1’ and ‘5’ = +4
‘3’ and ‘1’ = -2
‘0’ and ‘-2.5’ = -2.5

See also: abs for comparison
changecount (/host/key,(sec|#num)<:time shift>,<mode>)
Number of changes between adjacent values within the defined evaluation period.See common parameters.

mode (optional; must be double-quoted)

Supported modes:
all - count all changes (default)
dec - count decreases
inc - count increases
Supported value types: float, int, str, text, log

For non-numeric value types, mode parameter is ignored.

Examples:
=> changecount(/host/key, 1w) → number of value changes for the last week until now
=> changecount(/host/key,#10,”inc”) → number of value increases (relative to the adjacent value) among the last 10 values
=> changecount(/host/key,24h,”dec”) → number of value decreases (relative to the adjacent value) for the last 24 hours until now
count (/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)
Number of values within the defined evaluation period.See common parameters.

operator (optional; must be double-quoted)

Supported operators:
eq - equal (default)
ne - not equal
gt - greater
ge - greater or equal
lt - less
le - less or equal
like - matches if contains pattern (case-sensitive)
bitand - bitwise AND
regexp - case-sensitive match of the regular expression given in pattern
iregexp - case-insensitive match of the regular expression given in pattern

pattern (optional) - required pattern (string arguments must be double-quoted)
Supported value types: float, integer, string, text, log

Float items match with the precision of 2.22e-16; if database is not upgraded the precision is 0.000001.

With bitand as the third parameter, the fourth pattern parameter can be specified as two numbers, separated by ‘/‘: number_to_compare_with/mask. count() calculates “bitwise AND” from the value and the mask and compares the result to number_to_compare_with. If the result of “bitwise AND” is equal to number_to_compare_with, the value is counted.
If number_to_compare_with and mask are equal, only the mask need be specified (without ‘/‘).

With regexp or iregexp as the third parameter, the fourth pattern parameter can be an ordinary or global (starting with ‘@’) regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after ‘.’. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.

Examples:
=> count(/host/key,10m) → number of values for the last 10 minutes until now
=> count(/host/key,10m,”like”,”error”) → number of values for the last 10 minutes until now that contain ‘error’
=> count(/host/key,10m,,12) → number of values for the last 10 minutes until now that equal ‘12’
=> count(/host/key,10m,”gt”,12) → number of values for the last 10 minutes until now that are over ‘12’
=> count(/host/key,#10,”gt”,12) → number of values within the last 10 values until now that are over ‘12’
=> count(/host/key,10m:now-1d,”gt”,12) → number of values between 24 hours and 10 minutes and 24 hours ago from now that were over ‘12’
=> count(/host/key,10m,”bitand”,”6/7”) → number of values for the last 10 minutes until now having ‘110’ (in binary) in the 3 least significant bits.
=> count(/host/key,10m:now-1d) → number of values between 24 hours and 10 minutes and 24 hours ago from now
countunique (/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)
Number of unique values within the defined evaluation period.See common parameters.

operator (optional; must be double-quoted)

Supported operators:
eq - equal (default)
ne - not equal
gt - greater
ge - greater or equal
lt - less
le - less or equal
like - matches if contains pattern (case-sensitive)
bitand - bitwise AND
regexp - case-sensitive match of the regular expression given in pattern
iregexp - case-insensitive match of the regular expression given in pattern

pattern (optional) - required pattern (string arguments must be double-quoted)
Supported value types: float, integer, string, text, log

Float items match with the precision of 2.22e-16; if database is not upgraded the precision is 0.000001.

With bitand as the third parameter, the fourth pattern parameter can be specified as two numbers, separated by ‘/‘: number_to_compare_with/mask. count() calculates “bitwise AND” from the value and the mask and compares the result to number_to_compare_with. If the result of “bitwise AND” is equal to number_to_compare_with, the value is counted.
If number_to_compare_with and mask are equal, only the mask need be specified (without ‘/‘).

With regexp or iregexp as the third parameter, the fourth pattern parameter can be an ordinary or global (starting with ‘@’) regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings. For the purpose of regexp matching, float values will always be represented with 4 decimal digits after ‘.’. Also note that for large numbers difference in decimal (stored in database) and binary (used by Zabbix server) representation may affect the 4th decimal digit.

Examples:
=> countunique(/host/key,10m) → number of unique values for the last 10 minutes until now
=> countunique(/host/key,10m,”like”,”error”) → number of unique values for the last 10 minutes until now that contain ‘error’
=> countunique(/host/key,10m,”gt”,12) → number of unique values for the last 10 minutes until now that are over ‘12’
=> countunique(/host/key,#10,”gt”,12) → number of unique values within the last 10 values until now that are over ‘12’
=> countunique(/host/key,10m:now-1d,”gt”,12) → number of unique values between 24 hours and 10 minutes and 24 hours ago from now that were over ‘12’
=> countunique(/host/key,10m,”bitand”,”6/7”) → number of unique values for the last 10 minutes until now having ‘110’ (in binary) in the 3 least significant bits.
=> countunique(/host/key,10m:now-1d) → number of unique values between 24 hours and 10 minutes and 24 hours ago from now
find (/host/key,<(sec|#num)<:time shift>>,<operator>,<pattern>)
Find a value match.See common parameters.

sec or #num (optional) - defaults to the latest value if not specified

operator (optional; must be double-quoted)

Supported operators:
eq - equal (default)
ne - not equal
gt - greater
ge - greater or equal
lt - less
le - less or equal
like - value contains the string given in pattern (case-sensitive)
bitand - bitwise AND
regexp - case-sensitive match of the regular expression given in pattern
iregexp - case-insensitive match of the regular expression given in pattern

pattern - required pattern (string arguments must be double-quoted); Perl Compatible Regular Expression (PCRE) regular expression if operator is regexp, iregexp.
Supported value types: float, int, str, text, log

Returns:
1 - found
0 - otherwise

If more than one value is processed, ‘1’ is returned if there is at least one matching value.

With regexp or iregexp as the third parameter, the fourth pattern parameter can be an ordinary or global (starting with ‘@’) regular expression. In case of global regular expressions case sensitivity is inherited from global regular expression settings.

Example:
=> find(/host/key,10m,”like”,”error”) → find a value that contains ‘error’ within the last 10 minutes until now
first (/host/key,sec<:time shift>)
The first (the oldest) value within the defined evaluation period.See common parameters.Supported value types: float, int, str, text, log

Example:
=> first(/host/key,1h) → retrieve the oldest value within the last hour until now

See also last().
fuzzytime (/host/key,sec)
Checking how much the passive agent time differs from the Zabbix server/proxy time.See common-parameters.Supported value types: float, int

Returns:
1 - difference between the passive item value (as timestamp) and Zabbix server/proxy timestamp is less than or equal to T seconds
0 - otherwise

Usually used with the ‘system.localtime’ item to check that local time is in sync with the local time of Zabbix server. Note that ‘system.localtime’ must be configured as a passive check.
Can be used also with vfs.file.time[/path/file,modify] key to check that file didn’t get updates for long time.

Example:
=> fuzzytime(/host/key,60s)=0 → detect a problem if the time difference is over 60 seconds

This function is not recommended for use in complex trigger expressions (with multiple items involved), because it may cause unexpected results (time difference will be measured with the most recent metric), e.g. in fuzzytime(/Host/system.localtime,60s)=0 or last(/Host/trap)<>0
last (/host/key,<#num<:time shift>>)
The most recent value.See common parameters.

#num (optional) - the Nth most recent value
Supported value types: float, int, str, text, log

Take note that a hash-tagged time period (#N) works differently here than with many other functions.
For example:
last() is always equal to last(#1)
last(#3) - third most recent value (not three latest values)

Zabbix does not guarantee the exact order of values if more than two values exist within one second in history.

Example:
=> last(/host/key) → retrieve the last value
=> last(/host/key,#2) → retrieve the previous value
=> last(/host/key,#1) <> last(/host/key,#2) → the last and previous values differ

See also first().
logeventid (/host/key,<#num<:time shift>>,<pattern>)
Checking if event ID of the last log entry matches a regular expression.See common parameters.

#num (optional) - the Nth most recent value

pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style (string arguments must be double-quoted).
Supported value types: log

Returns:
0 - does not match
1 - matches
logseverity (/host/key,<#num<:time shift>>)
Log severity of the last log entry.See common parameters.

#num (optional) - the Nth most recent value
Supported value types: log

Returns:
0 - default severity
N - severity (integer, useful for Windows event logs: 1 - Information, 2 - Warning, 4 - Error, 7 - Failure Audit, 8 - Success Audit, 9 - Critical, 10 - Verbose).
Zabbix takes log severity from Information field of Windows event log.
logsource (/host/key,<#num<:time shift>>,<pattern>)
Checking if log source of the last log entry matches a regular expression.See common parameters.

#num (optional) - the Nth most recent value

pattern (optional) - regular expression describing the required pattern, Perl Compatible Regular Expression (PCRE) style (string arguments must be double-quoted).
Supported value types: log

Returns:
0 - does not match
1 - matches

Normally used for Windows event logs. For example, logsource(“VMware Server”).
monodec (/host/key,(sec|#num)<:time shift>,<mode>)
Check if there has been a monotonous decrease in values.See common parameters.

mode (must be double-quoted) - weak (every value is smaller or the same as the previous one; default) or strict (every value has decreased)
Supported value types: int

Returns 1 if all elements in the time period continuously decrease, 0 otherwise.

Example:
=> monodec(/Host1/system.swap.size[all,free],60s) + monodec(/Host2/system.swap.size[all,free],60s) + monodec(/Host3/system.swap.size[all,free],60s) - calculate in how many hosts there has been a decrease in free swap size
monoinc (/host/key,(sec|#num)<:time shift>,<mode>)
Check if there has been a monotonous increase in values.See common parameters.

mode (must be double-quoted) - weak (every value is bigger or the same as the previous one; default) or strict (every value has increased)
Supported value types: int

Returns 1 if all elements in the time period continuously increase, 0 otherwise.

Example:
=> monoinc(/Host1/system.localtime,#3,”strict”)=0 - check if system local time has been increasing consistently
nodata (/host/key,sec,<mode>)
Checking for no data received.See common parameters.

sec period should not be less than 30 seconds because the history syncer process calculates this function only every 30 seconds.

nodata(/host/key,0) is disallowed.

mode - if set to strict (double-quoted), this function will be insensitive to proxy availability (see comments for details).
All value types are supported.

Returns:
1 - if no data received during the defined period of time
0 - otherwise

Since Zabbix 5.0, the ‘nodata’ triggers monitored by proxy are, by default, sensitive to proxy availability - if proxy becomes unavailable, the ‘nodata’ triggers will not fire immediately after a restored connection, but will skip the data for the delayed period. Note that for passive proxies suppression is activated if connection is restored more than 15 seconds and no less than 2 & ProxyUpdateFrequency seconds later. For active proxies suppression is activated if connection is restored more than 15 seconds later.

To turn off sensitiveness to proxy availability, use the third parameter, e.g.: nodata(/host/key,5m,“strict”); in this case the function will work the same as before 5.0.0 and fire as soon as the evaluation period (five minutes) without data has past.

Note that this function will display an error if, within the period of the 1st parameter:
- there’s no data and Zabbix server was restarted
- there’s no data and maintenance was completed
- there’s no data and the item was added or re-enabled
Errors are displayed in the Info column in trigger configuration.

This function may not work properly if there are time differences between Zabbix server, proxy and agent. See also: Time synchronization requirement.
percentile (/host/key,(sec|#num)<:time shift>,percentage)
P-th percentile of a period, where P (percentage) is specified by the third parameter.See common parameters.

percentage - a floating-point number between 0 and 100 (inclusive) with up to 4 digits after the decimal point
Supported value types: float, int
rate (/host/key,sec<:time shift>)
Per-second average rate of the increase in a monotonically increasing counter within the defined time period.See common parameters.Supported value types: float, int

Functionally corresponds to ‘rate‘ of PromQL.

Example:
=> rate(/host/key,30s) → If the monotonic increase over 30 seconds is 20, this function will return 0.67.
trendavg (/host/key,time period:time shift)
Average of trend values within the defined time period.time period - the time period (minimum ‘1h’), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year).

Time shift - the time period offset (see examples)
Examples:
=> trendavg(/host/key,1h:now/h) → average for the previous hour (e.g. 12:00-13:00)
=> trendavg(/host/key,1h:now/h-1h) → average for two hours ago (11:00-12:00)
=> trendavg(/host/key,1h:now/h-2h) → average for three hours ago (10:00-11:00)
=> trendavg(/host/key,1M:now/M-1y) → average for the previous month a year ago
trendcount (/host/key,time period:time shift)
Number of successfully retrieved trend values within the defined time period.time period - the time period (minimum ‘1h’), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year).

Time shift - the time period offset (see examples)
Examples:
=> trendcount(/host/key,1h:now/h) → count for the previous hour (e.g. 12:00-13:00)
=> trendcount(/host/key,1h:now/h-1h) → count for two hours ago (11:00-12:00)
=> trendcount(/host/key,1h:now/h-2h) → count for three hours ago (10:00-11:00)
=> trendcount(/host/key,1M:now/M-1y) → count for the previous month a year ago
trendmax (/host/key,time period:time shift)
The maximum in trend values within the defined time period.time period - the time period (minimum ‘1h’), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year).

Time shift - the time period offset (see examples)
Examples:
=> trendmax(/host/key,1h:now/h) → maximum for the previous hour (e.g. 12:00-13:00)
=> trendmax(/host/key,1h:now/h) - trendmin(/host/key,1h:now/h) → calculate the difference between the maximum and minimum values (trend delta) for the previous hour (12:00-13:00)
=> trendmax(/host/key,1h:now/h-1h) → maximum for two hours ago (11:00-12:00)
=> trendmax(/host/key,1h:now/h-2h) → maximum for three hours ago (10:00-11:00)
=> trendmax(/host/key,1M:now/M-1y) → maximum for the previous month a year ago
trendmin (/host/key,time period:time shift)
The minimum in trend values within the defined time period.time period - the time period (minimum ‘1h’), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year).

Time shift - the time period offset (see examples)
Examples:
=> trendmin(/host/key,1h:now/h) → minimum for the previous hour (e.g. 12:00-13:00)
=> trendmin(/host/key,1h:now/h) - trendmin(/host/key,1h:now/h) → calculate the difference between the maximum and minimum values (trend delta) for the previous hour (12:00-13:00)
=> trendmin(/host/key,1h:now/h-1h) → minimum for two hours ago (11:00-12:00)
=> trendmin(/host/key,1h:now/h-2h) → minimum for three hours ago (10:00-11:00)
=> trendmin(/host/key,1M:now/M-1y) → minimum for the previous month a year ago
trendstl (/host/key,eval period:time shift,detection period,season,<deviations>,<devalg>,<s_window>)
Returns an anomaly rate - a decimal value between 0 and 1 that is ((the number of anomaly values in detect period) / (total number of values in detect period).eval period - the time period that must be decomposed (minimum ‘1h’), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year).

Time shift - the time period offset (see examples)

detection period - the time period starting from the end of eval period for which anomalies are calculated (minimum ‘1h’, cannot be longer than eval period), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week).

season - the shortest time period where seasonality (repeating patterns) is expected (minimum ‘2h’, cannot be longer than eval period, number of entries in the eval period must be greater than the two times of the resulting frequency (season/h)), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week).

deviations - the number of deviations (calculated with devalg) to count as anomaly (can be decimal), (must be greater than or equal to 1, default is 3)

devalg (must be double-quoted) - deviation algorithm, can be stddevpop, stddevsamp or mad (default)

s_window - the span (in lags) of the loess window for seasonal extraction (default is 10 number of entries in eval period + 1)
Examples:
=> trendstl(/host/key,100h:now/h,10h,2h) → analysing the last 100 hours of trend data,
find the anomalies rate for the previous 10 hours of that period,
expecting the periodicity to be 2h,
the remainder series values of the evaluation period are considered anomalies if they reach the value of 3 deviations of the MAD of that remainder series
=> trendstl(/host/key,100h:now/h-10h,100h,2h,2.1,”mad”) → analysing the period of previous 100 hours of trend data, starting counting 10 hours ago
find the anomalies rate for that entire period
expecting the periodicity to be 2h,
the remainder series values of the evaluation period are considered anomalies if they reach the value of 2,1 deviations of the MAD of that remainder series
=> trendstl(/host/key,100d:now/d-1d,10d,1d,4,,10) → analysing previous 100 days of trend data starting from a day ago,
find the anomalies rate for the period of last 10d of that period,
expecting the periodicity to be 1d,
the remainder series values of the evaluation period are considered anomalies if they reach the value of 4 deviations of the MAD of that remainder series,
overriding the default span of the loess window for seasonal extraction of “10 number of entries in eval period + 1” with the span of 10 lags
=> trendstl(/host/key,1M:now/M-1y,1d,2h,,”stddevsamp”) → minimum for the previous month a year ago
analysing previous month of trend data starting from a year ago,
find the anomalies rate of the last day of that period
expecting the periodicity to be 2h,
the remainder series values of the evaluation period are considered anomalies if they reach the value of 3 deviation of the sample standard deviation of that remainder series
trendsum (/host/key,time period:time shift)
Sum of trend values within the defined time period.time period - the time period (minimum ‘1h’), defined as <N><time unit> where
N - number of time units
time unit - h (hour), d (day), w (week), M (month) or y (year).

Time shift - the time period offset (see examples)
Examples:
=> trendsum(/host/key,1h:now/h) → sum for the previous hour (e.g. 12:00-13:00)
=> trendsum(/host/key,1h:now/h-1h) → sum for two hours ago (11:00-12:00)
=> trendsum(/host/key,1h:now/h-2h) → sum for three hours ago (10:00-11:00)
=> trendsum(/host/key,1M:now/M-1y) → sum for the previous month a year ago