If you have apache access logs that capture the
X-Forwarded-For header because it has passed through a proxy or for some other reason. It might sometimes come in as a comma separated list of ip addresses of which proxies it has passed through.
10.10.10.10,192.168.255.255 - - [18/Mar/2014:11:05:37 -0400] "GET / HTTP/1.1" 200 1000
In Splunk you would split the client IP by using
makemv to be able to search through the field as if it were multiple values.
source="/var/www/html/access_log" | makemv delim=";" clientip