Tag Archives: REST

Splunk – List REST API users and their IPs

Want to get a list REST API users and their IPs?

Run this search

index=_internal
host IN(SH1,SH2,SH3)
sourcetype=splunkd_access
user != "-"
clientip != "IP_of_SH1" clientip != "IP_of_SH2" clientip != “IP_of_SH3”
NOT TERM(127.0.0.1)
NOT TERM(splunk-system-user)
| stats values(clientip) by user

The limitation is if the users are going via a Load Balancer, you will see  Load Balancer’s IP as the clientip