I have an issue where my transaction search finds endswith events with no startswith events.
Not to go into too much detail but this is due to a funky way that Cisco logs OSPF events when DMVPN is involved.
I want to simply ignore endswith matches if a startswith event doesn't exist.
Is there a way to force transaction to only match if a startswith event exists (must startswith)?
Below is my search:
sourcetype=cisco:ios eventtype="cisco_ios-routing-ospf" | transaction host startswith="FULL to DOWN" endswith="LOADING to FULL" keepevicted=true | search closed_txn=0
Thanks,
Mike
↧