Hello, we were able to modify the data by modifying the props.conf and transforms.conf
I've posted our changes below in case anyone else has similar issues.
props.conf
[host::IP Address here]
TRANSFORMS-t1=rename_host
transforms.conf
[rename_host]
REGEX=Original Address=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1
The files need to added (if missing) or modified in the following directories
opt/splunk/etc/apps/cisco-ios
and
/opt/splunk/etc/apps/TA-cisco-ios
... View more