For inventory management purposes, I have been running the below splunk search for years. It first checks Remedy and pulls a few common fields, then compares that against actual firewalls that are actively sending logs into splunk. The output provided a list of firewalls that sends active logs but not in inventory management, and a list of devices in the inventory database which are not sending any active logs.
The result shows the full results of each search. I get a column called Remedy_CI_Name with every firewall and another column called PA_host_name with every firewall. It's like the "set diff" isn't doing anything at all.