Dealing with multiple IP addresses from access_logs in Splunk

less than 1 minute read

If you have apache access logs that capture the X-Forwarded-For header because it has passed through a proxy or for some other reason. It might sometimes come in as a comma separated list of ip addresses of which proxies it has passed through.

10.10.10.10,192.168.255.255 - - [18/Mar/2014:11:05:37 -0400] "GET / HTTP/1.1" 200 1000

In Splunk you would split the client IP by using makemv to be able to search through the field as if it were multiple values.

source="/var/www/html/access_log" | makemv delim=";" clientip

Leave a Comment