Forum Discussion

FahadAhmed's avatar
FahadAhmed
Brass Contributor
Aug 28, 2023

Table based transformation not working when onboarding systems through AMA agent

Hi,

We initially had a few servers with MMA agent deployed, we performed transformation on "SecurityEvent" table to drop unwanted event IDs. Now when we are installing AMA agent on the same machines, somehow the event IDs that we excluded on Table level are appearing in the log analytical workspace, which means that table level transformation is not working.

 

Can any one guide if this is what is supposed to happen incase of AMA? As per my understanding, DCR tells the systems to collect logs and send it to designated workspace and transformation is applied on table level. We donot want to write Xpath queries to filter those event IDs as this will be additional effort and were hoping if onboarding logs through AMA and using table level transformation could help us drop unwanted logs.

 

any help is appreciated.

Thanks

Fahad

  • Before i answer the above, i need to know if you waited 1 hour after you applied the transformation against the table / DCR rule

    There is a delay at the API level which can make you think its not working
    • FahadAhmed's avatar
      FahadAhmed
      Brass Contributor

      Thanks for the guidance bill, I have figured out the answer.  Table based transformations donot apply for AMA based log ingestions, we will need DCR. Performed DCR based transformation and its working fine.

      Thanks

Resources