Hopefully I have close enough to your version and all that. I can update mine if necessary, but I think it's just a couple of months out of date so it's probably close enough.

Here's what I did to investigate, hopefully the methods will work for you (and will be helpful for others).

When I open my Threat dashboard, the first panel is "Threat Subtypes" and is based on the following base search (e.g. I got rid of the timechart at the end).

| `pan_tstats` count FROM `node(log.threat)`       `groupby(_time log.log_subtype)` 

So let's compare that to one that may or may not work, the "Traffic Dashboard" "Bytes Transfered[sic] Over Time" which has a base search like

| `pan_tstats` sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM `node(log.traffic.end)`       groupby _time span=5m

If you look at both, you see much of the same macros but not quite. They both call macro node() but one with log.threat and the other with log.traffic.end. So let's check that macro to see what it does.

datamodel="pan_firewall" WHERE nodename="$nodename$" 

So, if we do a pivot on datamodel pan firewall (called "Palo Alto Networks Firewall Logs" in the Datamodels list), I come up with a bunch of Threats. Yours I presume doesn't?

If it doesn't as I expect, go back and "Edit objects" on that DM, you'll see that there's a list of Constraints for the root "Firewall Logs" which I'll presume works fine (since other items populate). If you click "Threat" on the left, you'll see that it adds a few more constraints:

eventtype="pan_threat" (log_subtype="vulnerability" OR log_subtype="virus" OR log_subtype="spyware")

Of those, you have two sets of things to check. Are your pan logs properly tagged with event type "pan_threat"? Do they have at least one of those log_subtypes?

My guess is an eventtype is misspecified. You can go to the definition of the eventtype to see how that's defined and somewhere in those few items is, IMO, likely to be the problem.

Let me/us know how it goes!