cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Table based transformation not working when onboarding systems through AMA agent

FahadAhmed
Brass Contributor

‎Aug 28 2023 09:25 AM

‎Aug 28 2023 09:25 AM

Table based transformation not working when onboarding systems through AMA agent

Hi,

We initially had a few servers with MMA agent deployed, we performed transformation on "SecurityEvent" table to drop unwanted event IDs. Now when we are installing AMA agent on the same machines, somehow the event IDs that we excluded on Table level are appearing in the log analytical workspace, which means that table level transformation is not working.

 

Can any one guide if this is what is supposed to happen incase of AMA? As per my understanding, DCR tells the systems to collect logs and send it to designated workspace and transformation is applied on table level. We donot want to write Xpath queries to filter those event IDs as this will be additional effort and were hoping if onboarding logs through AMA and using table level transformation could help us drop unwanted logs.

 

any help is appreciated.

Thanks

Fahad

Labels:
140 Views
0 Likes
2 Replies
Reply
2 Replies
BillClarksonAntill

‎Sep 14 2023 09:12 PM

‎Sep 14 2023 09:12 PM

Re: Table based transformation not working when onboarding systems through AMA agent

Before i answer the above, i need to know if you waited 1 hour after you applied the transformation against the table / DCR rule

There is a delay at the API level which can make you think its not working
0 Likes
Reply
FahadAhmed

‎Sep 19 2023 12:13 PM - edited ‎Sep 19 2023 12:14 PM

‎Sep 19 2023 12:13 PM - edited ‎Sep 19 2023 12:14 PM

Re: Table based transformation not working when onboarding systems through AMA agent

Thanks for the guidance bill, I have figured out the answer.  Table based transformations donot apply for AMA based log ingestions, we will need DCR. Performed DCR based transformation and its working fine.

Thanks

0 Likes
Reply