the SEDCMD-remove_ffff is already present and commented in Splunk_TA_windows version 6.0 (but dont change in default file)
so you could just :
create/update Splunk_TA_Windows/local/props.conf
[source::WinEventLog:Security]
SEDCMD-remove_ffff = s/::ffff://g
[source::WinEventLog:ForwardedEvents]
SEDCMD-remove_ffff = s/::ffff://g
[WMI:WinEventLog:Security]
SEDCMD-remove_ffff = s/::ffff://g
... View more