https://community.splunk.com/t5/Getting-Data-In/XmlWinEventLog-Security-events-ffff-Remove-SED-props-not-working/m-p/435205#M75929 <P>they did all Windows TA App source definitions filed changes on WinEventLog:Security source name , and finally they renamed the source as XmlWinEventLog:Security may be that's the reason my confs are not working. <BR /> now i had change my confs by removing the XML from the source OR sourcetype </P> <PRE><CODE>&gt; [source::WinEventLog:Security] &gt; SEDCMD-remove_ffff = s/(::ffff:)//g </CODE></PRE> Thu, 08 Aug 2019 17:45:54 GMT vemurisurya 2019-08-08T17:45:54Z https://community.splunk.com/t5/Getting-Data-In/XmlWinEventLog-Security-events-ffff-Remove-SED-props-not-working/m-p/435204#M75928 <P>Hi <BR /> We are collecting the winevent logs in XML format since enabled ipv6 on the DC we are getting src_ip with included ipv6 and IP. <BR /> When I am trying to remove the ipv6 (::ffff:) from the src_ip and parse only IP address.<BR /><BR /> Neither of my props works.</P> <PRE><CODE>[XmlWinEventLog] SEDCMD-remove_ffff = s/(?ms)(.*IpAddress\'\&gt;)(::ffff:)(.*)/\1\3/g [XmlWinEventLog] SEDCMD-ipaddresssed = s/(::ffff:)//g </CODE></PRE> <P>My actual event.</P> <PRE><CODE>&lt;Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'&gt;&lt;System&gt;&lt;Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5434-4994-A5BA-3E3B0328C30D}'/&gt;&lt;EventID&gt;4769&lt;/EventID&gt;&lt;Version&gt;0&lt;/Version&gt;&lt;Level&gt;0&lt;/Level&gt;&lt;Task&gt;14337&lt;/Task&gt;&lt;Opcode&gt;0&lt;/Opcode&gt;&lt;Keywords&gt;0x80200000000000&lt;/Keywords&gt;&lt;TimeCreated SystemTime='2019-08-07T20:59:39.371042600Z'/&gt;&lt;EventRecordID&gt;93547806&lt;/EventRecordID&gt;&lt;Correlation/&gt;&lt;Execution ProcessID='704' ThreadID='1468'/&gt;&lt;Channel&gt;Security&lt;/Channel&gt;&lt;Computer&gt;dcserver.prog.com&lt;/Computer&gt;&lt;Security/&gt;&lt;/System&gt;&lt;EventData&gt;&lt;Data Name='TargetUserName'&gt;dvtest@prog.COM&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;prog.COM&lt;/Data&gt;&lt;Data Name='ServiceName'&gt;dctest$&lt;/Data&gt;&lt;Data Name='ServiceSid'&gt;progtest\devtest$&lt;/Data&gt;&lt;Data Name='TicketOptions'&gt;0x40810000&lt;/Data&gt;&lt;Data Name='TicketEncryptionType'&gt;0x12&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;::ffff:10.0.192.53&lt;/Data&gt;&lt;Data Name='IpPort'&gt;58774&lt;/Data&gt;&lt;Data Name='Status'&gt;0x0&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{CA2F0CA9-78F8-0F8F-EAA1-269FE090D582}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;- &lt;/Data&gt;&lt;/EventData&gt;&lt;/Event&gt; </CODE></PRE> Wed, 30 Sep 2020 01:39:35 GMT https://community.splunk.com/t5/Getting-Data-In/XmlWinEventLog-Security-events-ffff-Remove-SED-props-not-working/m-p/435204#M75928 vemurisurya 2020-09-30T01:39:35Z https://community.splunk.com/t5/Getting-Data-In/XmlWinEventLog-Security-events-ffff-Remove-SED-props-not-working/m-p/435205#M75929 <P>they did all Windows TA App source definitions filed changes on WinEventLog:Security source name , and finally they renamed the source as XmlWinEventLog:Security may be that's the reason my confs are not working. <BR /> now i had change my confs by removing the XML from the source OR sourcetype </P> <PRE><CODE>&gt; [source::WinEventLog:Security] &gt; SEDCMD-remove_ffff = s/(::ffff:)//g </CODE></PRE> Thu, 08 Aug 2019 17:45:54 GMT https://community.splunk.com/t5/Getting-Data-In/XmlWinEventLog-Security-events-ffff-Remove-SED-props-not-working/m-p/435205#M75929 vemurisurya 2019-08-08T17:45:54Z