And we're fixed!
Looks like the issue was due to a sourcetype of 'bit9' that we are using for CEF ingestion of logs via syslog. I moved the sourcetype over to bit9_test and it appears the props/transforms are working correctly. Once I can eliminate the CEF ingestion I can move back to bit9 and life shall be good.
... View more