Hello,
The X-Forwarded-For header is not standard content for the access combined sourcetype. Since this header can contain a variable number of IP addresses, separated by commas you will need an extraction regex which expects a field with multiple IP addresses and extracts clientip as the first, this could be problematic due to the spaces which might be present in that field so you would need a fairly advanced regex to work reliably and not miss the other extractions for the event. I've looked around in answers and it seems like perhaps nobody has come up with a clean way to do what you are after. The built in extractions for apache logs depend heavily on extracting fields delimited by spaces, so an unquoted multivalued field containing spaces is going to be a problem. You could quote it in the log format string and make the extraction of this header easier, but at this point, you still have a list of an unpredictable number of IPs where the first is expected to be the actual client.
I will keep looking for options as I find some time, but you may want to consider a different path. We have our load balancer/CDN add a custom X header containing the the client's true IP and we use the contents of this field as the clientip field in our log format string and this works pretty well.
... View more