So I am having an issue with Transforming my logs. I have a device on my network the comes in as an /unknown with ClassKey and Component as Null. I use the transform to add the ClassKey and Component names. After setting those items through a transform. I than try to Map the instance using those Keys. I have played with setting the evt.eventClass property though the transform, the event still remains in the /Unknown event classes.
match = re.search('note="INTERFACE STATISTICS"', evt.summary)
if match and device:
evt.eventClassKey = "firewall_stats"
evt.component = "Firewall"
# evt.eventClass = "/Firewall/USG50/statistics/"