I have two log messages "%ROUTING-LDP-5-NSR_SYNC_START" and "%ROUTING-LDP-5-NBR_CHANGE" which usually accompany each other whenever there is a peer flapping. So "%ROUTING-LDP-5-NBR_CHANGE" is followed by "%ROUTING-LDP-5-NSR_SYNC_START" almost every time.
I am trying to find the output where a device only produces "%ROUTING-LDP-5-NSR_SYNC_START" without "%ROUTING-LDP-5-NBR_CHANGE" and I am using transaction but not been able to figure it out.
index = test ("%ROUTING-LDP-5-NSR_SYNC_START" OR "%ROUTING-LDP-5-NBR_CHANGE")
| transaction maxspan=5m startswith="%ROUTING-LDP-5-NSR_SYNC_START" endswith="%ROUTING-LDP-5-NBR_CHANGE"
| search eventcount=1 startswith="%ROUTING-LDP-5-NSR_SYNC_START"
| stats count by host
... View more