Field extraction for IP ADFS Logs - Splunk Community

Splunk Search

Hello,

I found one post but the REGEX search didn't work. How would I extract the IP into a new field that comes after http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip. For example, here's the actual log:

10/24/2018 11:09:33 AM
LogName=Security
SourceName=AD FS Auditing
... 8 lines omitted ...
OpCode=Info
... 5 lines omitted ...

Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
... 6 lines omitted ...
S-1-5-21-1869490827-231744046-782984527-6480
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1869490827-231744046-782984527-5748
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-3559849827-2309094810-816736563-404642
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-2029530193-91048431-1849977318-34517
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
99.203.16.212
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
DOMAIN\johndoe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
johndoe@johndoe.com

I'm looking to extract any IP after that x-ms-forwarded-client-ip string.

Thank you!

Try this

|rex field=_raw "x-ms-forwarded-client-ip\s+(?<ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...