Forum Discussion
Table based transformation not working when onboarding systems through AMA agent
Hi,
We initially had a few servers with MMA agent deployed, we performed transformation on "SecurityEvent" table to drop unwanted event IDs. Now when we are installing AMA agent on the same machines, somehow the event IDs that we excluded on Table level are appearing in the log analytical workspace, which means that table level transformation is not working.
Can any one guide if this is what is supposed to happen incase of AMA? As per my understanding, DCR tells the systems to collect logs and send it to designated workspace and transformation is applied on table level. We donot want to write Xpath queries to filter those event IDs as this will be additional effort and were hoping if onboarding logs through AMA and using table level transformation could help us drop unwanted logs.
any help is appreciated.
Thanks
Fahad
- BillClarksonAntillIron ContributorBefore i answer the above, i need to know if you waited 1 hour after you applied the transformation against the table / DCR rule
There is a delay at the API level which can make you think its not working- FahadAhmedBrass Contributor
Thanks for the guidance bill, I have figured out the answer. Table based transformations donot apply for AMA based log ingestions, we will need DCR. Performed DCR based transformation and its working fine.
Thanks