Syslog Transformation DCR not working
I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records.
I have a few Syslog/CEF forwarders deployed on premises collecting logs and are receiving both CEF and Syslog data. I've followed this guide https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview?tabs=single#data-ingestion-duplication-avoidance but am still getting CEF data in both the CommonSecurityLog and Syslog tables.
My current Transformation DCR applied to the Syslog table:
source
| where ProcessName !contains "CEF"
However, running the query below in Log Analytics Workspace (or Sentinel) produces results.
Syslog
| where ProcessName contains "CEF"
As stated above, when I run the transformation filter in the Syslog transformation wizard, it does filter the results as expected. But saving and applying the rule has no effect. The Transformation DCR has been in place for months so I don't think it's a timing issue.
Any help is appreciated!