EVAL-user is incorrect in pan:firewall_cloud

[inspired]

Describe the bug

About 99% of logs have the value "unknown" for the user field

Expected behavior

When the user field is known from one of the other fields such as SourceUser, DestinationUser etc, that should be reflected in user

Current behavior

EVAL-user contains single quotes around field names. You only need single quotes when the field names have dots in them.

Possible solution

Replace the single quotes. Solution:

EVAL-user = case(SourceUser!="null",SourceUser,SourceUserName !="null",SourceUserName,src_user!="null",src_user,dest_user!="null",dest_user,recipient!="null",recipient,sender!="null",sender,true(),"unknown")

Steps to reproduce

1. Run
   index=* sourcetype="pan:firewall_cloud" | top user

2. Observe that about 99% of the events have "unknown" as the field value

Screenshots

Context

The issue gives incorrect results when working with the data, especially when trying to normalize it to fit into the Network Traffic DM.

Your Environment

• Version used: Palo Alto Add-on version 7.0.2, Splunk Cloud 8.2.2105.4
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
• Operating System and version (desktop or mobile):
• Link to your project:

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!