I have a field that I need to remove the “::ffff:” from to just give me the IPv4.
Is there a way to add this as a pipeline rule?
event_data_IpAddress ::ffff:192.168.69.141
I found this example but I’m not sure how to build this into a pipeline:
// Extract the substring starting at offset 0 and stopping at offset 2
// Below example will return “ab”
substring(“abc”, 0, 2)
Hey, I actually figured it out on my own. For anyone else looking to do something similar:
rule “Windows: Event 4678 Cleanup”
when
has_field(“event_data_Status”) AND contains(to_string($message.event_id), “4768”)
then
//Change Logon Code
let update_source = lookup_value(“winlogon_status_lookup”, $message.event_data_Status);
set_field(“event_data_Status”, update_source);
//Cleanup IP Address
let ip_address = to_string($message.event_data_IpAddress);
set_field(“event_data_IpAddress”,substring(ip_address,7));
end
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
