Hi Frank,
It is probably the root cause. When I compared the events (which fields were different) I didn't realize about the name "signal" in my fields.
In my particular case of Fortinet's wireless controllers I detect 7 events containing that field (It could be very common when ingesting logs from wireless or Access point).
There are two events that are particularly important from the security point of view that detects the presence of rogue access points in a wireless infrastructure.
In the meanwhile I'll rename that field and I'll let you know the results
Thank you very much!
Regards
Anna