diff --git a/Splunk_TA_paloalto/default/transforms.conf b/Splunk_TA_paloalto/default/transforms.conf
index bd58b325..8f20c783 100644
--- a/Splunk_TA_paloalto/default/transforms.conf
+++ b/Splunk_TA_paloalto/default/transforms.conf
@@ -69,11 +69,11 @@ FORMAT = sourcetype::pan:config_traps
 
 [extract_threat]
 DELIMS = ","
-FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","future_use5","src_vm","dest_vm","http_method","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","threat_category","content_version","future_use6"
+FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","future_use5","src_vm","dest_vm","http_method","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","threat_category","content_version","future_use6","assoc_id","ppid","http_headers","url_category_list","rule_uuid","http2_connection","dynusergroup_name","xff_ip","src_category","src_profile","src_model","src_vendor","src_osfamily","src_osversion","src_host","src_mac","dst_category","dst_profile","dst_model","dst_vendor","dst_osfamily","dst_osversion","dst_host","dst_mac","container_id","pod_namespace","pod_name","src_edl","dst_edl","hostid","serialnumber","domain_edl","src_dag","dst_dag","partial_hash","high_res_timestamp","reason","justification","nssai_sst","subcategory_of_app","category_of_app","technology_of_app","risk_of_app","characteristic_of_app","container_of_app","tunneled_app","is_saas_of_app","sanctioned_state_of_app","cloud_reportid"
 
 [extract_traffic]
 DELIMS = ","
-FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","bytes","bytes_out","bytes_in","packets","start_time","duration","http_category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","action_source","src_vm","dest_vm","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type"
+FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","bytes","bytes_out","bytes_in","packets","start_time","duration","http_category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","action_source","src_vm","dest_vm","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","assoc_id","chunks","chunks_sent","chunks_received","rule_uuid","http2_connection","link_change_count","policy_id","link_switches","sdwan_cluster","sdwan_device_type","sdwan_cluster_type","sdwan_site","dynusergroup_name","xff_ip","src_category","src_profile","src_model","src_vendor","src_osfamily","src_osversion","src_host","src_mac","dst_category","dst_profile","dst_model","dst_vendor","dst_osfamily","dst_osversion","dst_host","dst_mac","container_id","pod_namespace","pod_name","src_edl","dst_edl","hostid","serialnumber","src_dag","dst_dag","session_owner","high_res_timestamp","nsdsai_sst","nsdsai_sd","subcategory_of_app","category_of_app","technology_of_app","risk_of_app","characteristic_of_app","container_of_app","tunneled_app","is_saas_of_app","sanctioned_state_of_app","offloaded"
 
 [extract_config]
 DELIMS = ","