Field extraction for IP ADFS Logs - Splunk Community

Splunk Search

Hello,

I found one post but the REGEX search didn't work. How would I extract the IP into a new field that comes after http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip. For example, here's the actual log:

10/24/2018 11:09:33 AM
LogName=Security
SourceName=AD FS Auditing
... 8 lines omitted ...
OpCode=Info
... 5 lines omitted ...

Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
... 6 lines omitted ...
S-1-5-21-1869490827-231744046-782984527-6480
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1869490827-231744046-782984527-5748
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-3559849827-2309094810-816736563-404642
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-2029530193-91048431-1849977318-34517
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
99.203.16.212
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
DOMAIN\johndoe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
johndoe@johndoe.com

I'm looking to extract any IP after that x-ms-forwarded-client-ip string.

Thank you!

Try this

|rex field=_raw "x-ms-forwarded-client-ip\s+(?<ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"

Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...