When a custom audit sink file is created to feed to Splunk in "raw" format, it always prepends each line with "-4 :" before the message (the message could be in json format or other format). 

Release : 10.1

Audit package predefined format include the message id. 

Set cluster wide property audit.log.otherDetailformat  =  {1}  (The default value is {0} : {1} ).  

Audit log format cluster wide properties: 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/administer-the-gateway/gateway-auditing-threshold-and-format.html