I have a real head-scratcher I’m struggling with on google scopes. I'm running queries via the "/legacy:legacyFetchUdmSearchView" API endpoint and seeing what looks like silent failure of "outcome" projections when filtering on a repeated field with "any".
This query returns events but each event has an empty "outcomes" field:
events:
metadata.log_type = "PAN_FIREWALL"
any principal.ip = "<source-ip>"
outcome:
$protocol = network.ip_protocolThe returned events have "network.ipProtocol" populated in the raw JSON (e.g. "ICMP"), so the field is present — it just isn't projecting through "outcome".
Rewriting with placeholder binding produces populated outcomes:
events:
metadata.log_type = "PAN_FIREWALL"
principal.ip = $ip
$ip = "<source-ip>"
outcome:
$protocol = network.ip_protocol"$protocol" now comes back with "ICMP" as expected.
Strangely, the same "any" + scalar-projection pattern works fine when I filter on "target.ip" instead of "principal.ip" for similar PAN events:
events:
metadata.log_type = "PAN_FIREWALL"
any target.ip = "<destination-ip>"
outcome:
$protocol = network.ip_protocolThis returns events with "$protocol" populated. So whatever's going wrong with the "principal.ip" version isn't universal to "any" filtering.
Anybody have any idea what’s going on? Any help would be appreciated.
