Field extraction for IP ADFS Logs - Splunk Community

Splunk Search

Hello,

I found one post but the REGEX search didn't work. How would I extract the IP into a new field that comes after http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip. For example, here's the actual log:

10/24/2018 11:09:33 AM
LogName=Security
SourceName=AD FS Auditing
... 8 lines omitted ...
OpCode=Info
... 5 lines omitted ...

Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
... 6 lines omitted ...
S-1-5-21-1869490827-231744046-782984527-6480
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1869490827-231744046-782984527-5748
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-3559849827-2309094810-816736563-404642
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-2029530193-91048431-1849977318-34517
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
99.203.16.212
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
DOMAIN\johndoe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
johndoe@johndoe.com

I'm looking to extract any IP after that x-ms-forwarded-client-ip string.

Thank you!

Try this

|rex field=_raw "x-ms-forwarded-client-ip\s+(?<ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...