I've recently started ingestion of wildfire events in Palo Alto app. Dashboard "Wildfire Submission" seems broken. I looked into the query forming those panels. One of the query I would like to mention here -
| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.wildfire" """" groupby _time log.rule log.src_ip log.dest_ip log.verdict log.file_name log.file_type log.user log.app log.file_hash log.src_location
Field "file_name" is breaking this query result which is coming from nodename=log.wildfire which in-turn populating from data model pan_firewall. Removing this field will show result count and remaining fields.
Upon looking into the datamodel I see this field as optional and atleast 50% raw events contain field file_name from this sourcetype.
Any lead would be helpful.
↧