Let me share my AWS VPC Flow Log parsing rule. It contains braking down content line line into fields and replacing some IP addresses belonging to specific networks (while keeping originals under different names however for temporary/testing purposes):

PARSE(content, "
STRING:account_id SPACE
STRING:action SPACE
STRING:az_id SPACE
INT:bytes SPACE
IPV4:dstaddr SPACE
INT:dstport SPACE
STRING:end SPACE
STRING:flow_direction SPACE
STRING:instance_id SPACE
STRING:interface_id SPACE
STRING:log_status SPACE
INT:packets SPACE
STRING:pkt_dst_aws_service SPACE
IPADDR:pkt_dstaddr SPACE
STRING:pkt_src_aws_service SPACE
IPV4:pkt_srcaddr SPACE
INT:protocol SPACE
STRING:region SPACE
IPV4:srcaddr SPACE
INT:srcport SPACE
STRING:start SPACE
STRING:sublocation_id SPACE
STRING:sublocation_type SPACE
STRING:subnet_id SPACE
INT:tcp_flags SPACE
STRING:traffic_path SPACE
STRING:type SPACE
STRING:version SPACE
STRING:vpc_id"
)
| FIELDS_ADD(
    log.type:("aws.vpc"),
    srcaddr_orig:srcaddr,
    dstaddr_orig:dstaddr)
| FIELDS_ADD (
	dstaddr : IF( 
       flow_direction=="egress" AND pkt_dst_aws_service=="-" AND NOT (
       IP_TRUNC(dstaddr,8)==IPADDR("10.0.0.0") OR IP_TRUNC(dstaddr,12)==IPADDR("172.16.0.0") OR IP_TRUNC(dstaddr,16)==IPADDR("192.168.0.0")),
       IPADDR("0.0.0.0") ,
       dstaddr),
	srcaddr : IF( 
       flow_direction=="ingress" AND pkt_src_aws_service=="-" AND NOT (
       IP_TRUNC(srcaddr,8)==IPADDR("10.0.0.0") OR IP_TRUNC(srcaddr,12)==IPADDR("172.16.0.0") OR IP_TRUNC(srcaddr,16)==IPADDR("192.168.0.0")),
       IPADDR("0.0.0.0"), 
       srcaddr)
)

Kris