Hi
We are collecting the winevent logs in XML format since enabled ipv6 on the DC we are getting src_ip with included ipv6 and IP.
When I am trying to remove the ipv6 (::ffff:) from the src_ip and parse only IP address.

Neither of my props works.

[XmlWinEventLog]
SEDCMD-remove_ffff = s/(?ms)(.*IpAddress\'\>)(::ffff:)(.*)/\1\3/g

[XmlWinEventLog]
SEDCMD-ipaddresssed = s/(::ffff:)//g

My actual event.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5434-4994-A5BA-3E3B0328C30D}'/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x80200000000000</Keywords><TimeCreated SystemTime='2019-08-07T20:59:39.371042600Z'/><EventRecordID>93547806</EventRecordID><Correlation/><Execution ProcessID='704' ThreadID='1468'/><Channel>Security</Channel><Computer>dcserver.prog.com</Computer><Security/></System><EventData><Data Name='TargetUserName'>dvtest@prog.COM</Data><Data Name='TargetDomainName'>prog.COM</Data><Data Name='ServiceName'>dctest$</Data><Data Name='ServiceSid'>progtest\devtest$</Data><Data Name='TicketOptions'>0x40810000</Data><Data Name='TicketEncryptionType'>0x12</Data><Data Name='IpAddress'>::ffff:10.0.192.53</Data><Data Name='IpPort'>58774</Data><Data Name='Status'>0x0</Data><Data Name='LogonGuid'>{CA2F0CA9-78F8-0F8F-EAA1-269FE090D582}</Data><Data Name='TransmittedServices'>- </Data></EventData></Event>