How do I extract the first IP address from the following: X-Forwarded-For":"1.1.1.1, 2.2.2.2?
I am currently using the following query:
fields @timestamp, @message
| filter @message like /Endpoint request body after transformations/
| parse @message "X-Forwarded-For\":\"*\"" as @IP
| stats count(*) by @IP
| limit 20
However, when I run the query, I get results like this:
1.1.1.1, 2.2.2.4
1.1.1.1, 2.2.2.5
1.1.1.1, 2.2.2.6
What changes do I need to make in my query to only extract the first IP address?
If you always have more than one ip, separated by commas, you can just terminate the parsing at , instead of \", like this:
| parse @message "X-Forwarded-For\":\"*," as @IP
If you can also have just 1 ip, without the comma at the end, then you can do something like this:
| parse @message /X-Forwarded-For\":\"(?<@IP>.*?)[,\"]/
This will take everything up to the first comma or the end quote, if the comma is not there.