I would also recommend here that this be done with a simple modification to Splunk_TA_Windows.
In order to remove the ::ffff: from this field, you can create two new transforms and modify two extractions in the Splunk_TA_Windows. You need two because the Client_Address field is used for both src and src_ip in the Windows logs.
Instructions are below:
Transformation for src_ip:
Start by making a new transformation
Set the Name to: Client_Address_as_src_ip_modified
Set the Regular expression to: ([\]+)?([^f:\n][^-].*)
Set the Source_Key to: Client_Address
Set the Format to: src_ip::"$2"
Save the extraction.
Note: Make sure the permissions for this are Global and also that the transformation goes into the Splunk_TA_Windows App.
Go to Settings > Fields > Field extractions
Find and modify the extraction named “source::*:Security : REPORT-src_ip_for_windows_security”
Set the Extraction/Transform to “Source_Network_Address_as_src_ip,Client_Address_as_src_ip_modified”
Transformation for src:
Making another new transformation
Set the Name to: Client_Address_as_src_modified
Set the Regular expression to: ([\]+)?([^f:\n][^-].*)
Set the Source_Key to: Client_Address
Set the Format to: src::”$2"
Save the extraction.
Note: Make sure the permissions for this are Global and also that the transformation goes into the Splunk_TA_Windows App.
Go to Settings > Fields > Field extractions
Find and modify the extraction named “source::*:Security : REPORT-src_for_windows_security”
Set the Extraction/Transform to “Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src_modified,ComputerName_as_src”
... View more