Forgot to mention that rsyslog format was checked and removed "date" and "host" details.. Now only the "message" details are being ingested.
The "Message" coming from PaloAlto to splunk could match the below field extraction but still it is not being parsed.
field extractions
[extract_system]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","vsys","event_id","object","future_use3","future_use4","module","severity","description","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name"
... View more