I'm trying to grok these entries
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken X-Forwarded-For
2020-10-23 19:35:15 10.10.10.73 GET /some/path/here.exe - 443 - 10.10.10.124 ELB-HealthChecker/2.0 - 200 0 0 182 -
2020-10-23 19:35:24 10.10.10.73 GET / - 443 - 10.10.10.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - 302 0 0 110 8.8.8.9
If I use something like this %{IPORHOST:iis.access.xforwardedfor}
for X-Forwarded-For
it fails with below error.
"type"=>"illegal_argument_exception", "reason"=>"'-' is not an IP string literal."
Because is sends -
for some requests.
How can i meet my need.
If the value for X-Forwarded-For
is '-' I'm ok to simply drop the field.
My end goal is if i see a real IP for X-Forwarded-For
i need to store it in a field with correct field type of IPORHOST