Field alias inconsistencies between firewall and firewall_cloud

[shepherdjay]

Describe the bug

There appears to be several inconsistencies between aliases for firewall and firewall_cloud. I see some of these have been resolved in 8.0.0.x but others are still outstanding. It is isn't clear if this is as designed.

Expected behavior

Searching for
log_type="TRAFFIC" | stats count by src_translated_ip

Should result in working results for both Cortex forwarded logs firewall_cloud and panorama / palo logs firewall

Current behavior

Instead only on-prem are found

Possible solution

We are utilizing additional aliases in our setup to allow for the dashboards to normalize across onprem and cortex

Steps to reproduce

Utilize 7.1 app or 8.0 app

Context

Consistent dashboard queries for our environment

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[shepherdjay]

Another example - in order to query logs for hip we're construction setups like this:

(sourcetype="pan:hipmatch" OR log_type="HIPMATCH") AND (hip_type=profile OR HipMatchType=profile)