I found this repository on GitHub (https://github.com/jamesfed/PANOSGraylogExtractor) and there’s an extractor for PAN-OS 9.1. I was able to copy/paste the JSON code for 9.1 into the extractor for the PAN-OS input and I see it’s applied to the data.
I tried creating a dashboard and filtered by source to limit the data to only what is received from my firewall. I also have syslog from my AT&T UVerse router streaming to a generic UDP syslog input. Anytime I add the source manually, that seems to work, but if I try to save it to the dashboard, any time I leave the page and go back to the dashboard and select the dashboard I created, the source filter is gone and I have to apply it again.
I guess I have a lot of reading to do.