The TA has a lookup file called netfilter_action.csv for setting the value of 'action' based on the value of ACTION. In some cases it sets cim_action (which is subsequently used for the value of 'action' by the LOOKUP-netfilter_actions command) to 'dropped' but "dropped" is not a permitted value in the Network Traffic data model.
Is this an error, or am I missing something here?
Thanks very much @chris_barrett, you're absolutely correct and my apologies for a delayed response. The app has now been updated on Splunkbase.
I have asked the author to chime in!