I've an issue where my transaction search finds endswith events with no startswith events. Not to go into too much detail but this is due to a funky way that Cisco logs OSPF events when DMVPN is involved. I want to simply ignore endswith matches if a startswith event doesn't exist. Is there a way to force transaction to only match if a startswith event exists (must startswith)? Below is my search:
sourcetype=cisco:ios eventtype="cisco_ios-routing-ospf" | transaction host startswith="FULL to DOWN" endswith="LOADING to FULL" keepevicted=true | search closed_txn=0
Thanks,
Mike
↧