Re-write host field for Splunk
Hello, this is probably simple, but I can’t get it to work. I just want to remove IPV6 encapsulation from the host field of events arriving at Cribl via syslog. So, existing host field is ::ffff:10.1.1.1, I want it to be just 10.1.1.1. For some reason I can’t get this to work, Splunk shows a null value for host when I try to EVAL, MASK, REGEX, etc. Anyone have a way to do this?