I am trying to extract data out of an adfs log, but I do not how how I would do this (regex and I can't seem to get along..). I have the following data extracted into a field called "Message" that is inside the security logs of our adfs servers (bold added by me..):

Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 192.168.1.1,192.168.1.2 Error message: email@domain -The user name or password is incorrect Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: email@domain ---> System.ComponentModel.Win32Exception: The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

I would like to get 3 pieces of information out of this already extracted field:

The client IP: It can be one or two IP addresses here. The first one is the real client IP (which can be an IPv4 or an IPv6 address) and the second one (if present..its not always there) is the proxied address via Microsoft. If there are two, they are separated by a comma. It would be nice if there was only one, I would get a field called "clientIP" and if there were two, the first one would still be "client IP" and the second one would be "intermediateIP". The IP addresses should be between the "Client IP:" and "Error Message:" text in the Message field.

The email address of the person in a field called "adfsEmail". This should be after the "Error Message:" text. It should end with a "-" followed by the error type, but since the email address itself may contain a "-" (before or after the @), I'm not sure if this can be used.

The actual error message in a field called "errorMessage". This should be after the email address mentioned above and before the "Exception details:" text.

Trying a "hail mary" here, so if anyone proficient with regex can figure this out, it would be greatly appreciated!