We do have the same plugin installed in splunk, but there is no CVE there. Could you specify where in the app we can find it? Also, if Panorama is not sending that cve, how can splunk see it? My question is how to add the cve to be sent from the source that is along with threat id.
Are you using the palto alto splunk app? - https://splunkbase.splunk.com/app/491/
I am sorry, but I am not getting your question. If you can see the CVE number in the logs what is the trouble in extracting the same?