...
You will need to set up just one type-4 relay rule that uses a regular expression and capturing groups to isolate data contained in the inbound event to build the correct Devo tag.
Source Port → port →
13005Source Data → data →
^[^,]+,[^,]+,[^,]+,([^,]+).*$Target Tag → firewalltag →
firewall.paloalto.\\D1Select the Stop Processing processing and Sent without syslog tag checkboxes
Once you add the rule, the relay is prepared to recieveievents receive events from stunnel and forward them correctly to the Devo cloud.
...