Thanks @jan and @BlueTeamNinja. Looks like this is going to work with little to no modification.
Just needs to test across all the devices.
rule "type fortinet-faz-fgt-raw-cef-test"
when
has_field("rf_input_source") && to_string($message.rf_input_source) == "pure_cef_fgt"
then
let result = regex(("(CEF:.*)$"),to_string($message.message));
set_field("pure_cef", result["0"]);
let message=split("\\|", to_string($message.pure_cef));
// split parts out of CEF
set_field("device_vendor", message[1]);
set_field("device_product", message[2]);
set_field("device_version", message[3]);
set_field("device_event_class_id", message[4]);
set_field("name", message[5]);
set_field("severity", message[6]);
set_field("device_message", message[7]);
//parse k-v message
let kv = key_value(value: to_string(message[7]), trim_value_chars: "\"", trim_key_chars:"\"", delimiters:" ", kv_delimiters:"=");
set_fields(kv);
let gmsg = grok(pattern: "%{GREEDYDATA}msg=%{GREEDYDATA:message}", value: to_string(message[7]), only_named_captures: true);
set_fields(gmsg);
// cleanup
remove_field("pure_cef");
remove_field("device_message");
remove_field("msg");
end