Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizing it. I have tried using the transaction command, but I am not sure if it will fix the for me.
We are running WebSpere and whenever a JVM is being started it will log an event like this
[9/8/20 8:54:10:653 CEST] 00000001 WsServerImpl A WSVR0001I: Server MinSideMember02 open for e-business
If the restart was initiated by an administrator via the console or as a scheduled restart via a script, the following event will be logged
[9/8/20 8:47:57:429 CEST] 000003b8 AdminHelper A ADMN1020I: An attempt is made to stop the MinSideMember02 server. (User ID = defaultWIMFileBasedRealm/wasadmin)
This is what I have tried (ref this answer)
index=production (e-business OR ADMN1020I) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m |search eventcount=1
But - no - it does find all "stop then started", but no the two "started without stopped"-events.
Add the keeporphans=true option to the transaction command.
Did try
index=production (ADMN1020I OR e-business) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m keeporphans=true
but it does not capture te e-business without ADM10201-message