Palo Alto Custom Log Formatting for Splunk

Use below to remove fields that aren’t needed or used. This could reduce the amount of logs by 25%.

Device>Server Profiles>Syslog>Syslog Server Profile>Custom Log Format

#THREAT

,$time_received,,$type,$subtype,,,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$dstuser,$app,,$from,$to,$inbound_if,$outbound_if,,,$sessionid,,$sport,$dport,$natsport,$natdport,$flags,$proto,$action,$misc,$threatid,$category,$severity,$direction,,,,,,$contenttype,,$filedigest,$cloud,$url_idx,,$filetype,$xff,$referer,$sender,$subject,$recipient,$reportid,,,,,,,$file_url

#TRAFFIC

,$receive_time,,$type,$subtype,,,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$dstuser,$app,,$from,$to,$inbound_if,$outbound_if,,,,,$sport,$dport,$natsport,$natdport,,$proto,$action,$bytes,$bytes_sent,$bytes_received,$packets,,,$category,,,,,,,$pkts_sent,$pkts_received,$session_end_reason