Splunk – List REST API users and their IPs

Want to get a list REST API users and their IPs?

Run this search

host IN(SH1,SH2,SH3)
user != "-"
clientip != "IP_of_SH1" clientip != "IP_of_SH2" clientip != “IP_of_SH3”
NOT TERM(splunk-system-user)
| stats values(clientip) by user

The limitation is if the users are going via a Load Balancer, you will see  Load Balancer’s IP as the clientip

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.