I am trying to get all DHCP records for machines on which an authentication attempt was made for a user. I am doing this with a subsearch on the Authentication datamodel for the authentication sources.

One thing that I noticed is that sometimes my authentication info has the machine name, while other times it has the IP Address source, but prepended with "::ffff:"
That extra bit at the front makes the source unfindable in DHCP logs. Is there a way for my tstats result to remove the "::ffff:"

I have tried

|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>"  Authentication.action="failure" by Authentication.src | eval src=ltrim(Authentication.src,"::ffff:") | fields src

for which I end up with an empty field called src

and (longshot)

|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName"  Authentication.action="failure" by ltrim(Authentication.src,"::ffff:")

which give me the error Error in 'tstats' command: Invalid argument: '::ffff:)'

if it matters, here is the larger query

sourcetype=DhcpSrvLog  "DNS Update Successful" [|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by Authentication.src | rename Authentication.src as search]  | table time dest dest_ip