I am collecting nginx logs in graylog. one of the log field is xff header.
Now xff header can have the unpredictable amount of ips.
Some time string is like “xff=184.108.40.206” and some time is like “xff=220.127.116.11, 18.104.22.168” and some time reaches up to 5 ips.
Now I want to parse them into different fields. Do not know how to do it.
What I want is for “xff=22.214.171.124” it should be “xff1=126.96.36.199” and for “xff=188.8.131.52, 184.108.40.206” it should be “xff1=220.127.116.11, xff2=18.104.22.168”.
Is it possible? or someone has any other idea?