Hello,
I understand now, Have you tried to use Raw/Plaintext TCP/UDP INPUT? Perhaps that would minimize the number of fields being generated.
For Example:
I have FortiGate firewalls (60E, 100, 200) in my environment. Then I created Raw/Plaintext INPUT. On that input I created ONLY the fields I need for alerts and notifications.
I have tried Syslog UDP but didn’t work well in our environment.
Here are some of my extractors, this is my Lab GL server so it has a lot more then our production one.
If you decide to go that route, I do have a lot of regex for extractor configurations I can offer.