I've recently started ingestion of wildfire events in Palo Alto app. Dashboard "Wildfire Submission" seems broken. I looked into the query forming those panels. One of the query I would like to mention here -
| tstats summariesonly=t count FROM datamodel="panfirewall" WHERE nodename="log.wildfire" """" groupby _time log.rule log.srcip log.destip log.verdict log.filename log.filetype log.user log.app log.filehash log.src_location
Field "filename" is breaking this query result which is coming from nodename=log.wildfire which in-turn populating from data model panfirewall. Removing this field will show result count and remaining fields.
Upon looking into the datamodel I see this field as optional and atleast 50% raw events contain field file_name from this sourcetype.
Any lead would be helpful.
As this is an optional field, you can remove that from the search, if that would suffice to show results in the dashboard. the other option would be to force 'unknown' for file_name if its null, using local/props.conf. something like
where file_name is the extraction from the actual app/add-on.