I am collecting nginx logs in graylog. one of the log field is xff header.
Now xff header can have the unpredictable amount of ips.
Some time string is like “xff=188.8.131.52” and some time is like “xff=184.108.40.206, 220.127.116.11” and some time reaches up to 5 ips.
Now I want to parse them into different fields. Do not know how to do it.
What I want is for “xff=18.104.22.168” it should be “xff1=22.214.171.124” and for “xff=126.96.36.199, 188.8.131.52” it should be “xff1=184.108.40.206, xff2=220.127.116.11”.
Is it possible? or someone has any other idea?