Hello,
I found one post but the REGEX search didn't work. How would I extract the IP into a new field that comes after http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip. For example, here's the actual log:
10/24/2018 11:09:33 AM LogName=Security SourceName=AD FS Auditing ... 8 lines omitted ... OpCode=Info ... 5 lines omitted ...
Caller identity: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid ... 6 lines omitted ... S-1-5-21-1869490827-231744046-782984527-6480 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-1869490827-231744046-782984527-5748 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-3559849827-2309094810-816736563-404642 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-2029530193-91048431-1849977318-34517 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 99.203.16.212 http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname DOMAIN\johndoe http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn johndoe@johndoe.com
I'm looking to extract any IP after that x-ms-forwarded-client-ip string.
Thank you!
Try this
|rex field=_raw "x-ms-forwarded-client-ip\s+(?<ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
