dvc field is determined inconsistently across sourcetypes

[MonkeyKa]

Describe the bug

Have noticed that for pan:traffic, uses the value in dvc_name for dvc while pan:threat, pan:config, and pan:system use the host field
this creates an inconsistent summary and search experience across logs

Expected behavior

I would expect dvc to be the same for the same device across all sourcetypes

Current behavior

for all sourcetypes other than pan:traffic, an alias is currently being used to alias host to dvc
for pan:traffic, a calculated field is being used to pick the first available between dvc_name and host
coalesce(dvc_name, host)
since dvc_name is part of the standard syslog, that is what is used

some sourcetypes do not have the dvc or dvc_name field.

Possible solution

either alias dvc for all sourcetype to dvc_name or alias them all to host

Steps to reproduce

1. can visualize the difference in Splunk with "index=pan_logs | dedup sourcetype | table sourcetype dvc dvc_name host|head 10

Context

Some Splunk users who've counted on the dvc field are complaining to me about existing correlation searches not working

Your Environment

• Version used:
• Splunk Enterprise Version: 8.2.2
• Splunk_TA_paloalto | 7.1.0