https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310954#M93236 <P>Depending on your infrastructure, the following <EM>may</EM> work:</P> <PRE><CODE>index=_internal sourcetype=splunkd_ui_access [| rest /services/authentication/current-context splunk_server=local | stats values(username) AS search | format ] | head 1 | stats list(clientip) AS clientip </CODE></PRE> <P>The subsearch will return the username of the user who is currently logged in. It uses that to search across <CODE>splunkd_ui_access</CODE> logs and extracts the <CODE>clientip</CODE> from the latest matching one.</P> <P>However, this doesn't work at all on my system, because we have a proxy on our Splunk server, which means this returns 127.0.0.1 for every user. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> So your mileage may vary.</P> Fri, 23 Feb 2018 22:37:43 GMT elliotproebstel 2018-02-23T22:37:43Z https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310951#M93233 <P>I'm trying to write a query to display the IP address of the current user. Anyone know how to do this?</P> Fri, 23 Feb 2018 21:10:14 GMT https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310951#M93233 matstap 2018-02-23T21:10:14Z https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310952#M93234 <P>Current user using Splunk Web UI (trying to display from user logged in from)?</P> Fri, 23 Feb 2018 21:18:27 GMT https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310952#M93234 somesoni2 2018-02-23T21:18:27Z https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310953#M93235 <P>We're going to need more information than that..</P> <P>Are your events logging in Splunk? Did you have a field that captures the IP addresses? Do you have a field or lookup table of users? You want the current users IP address who's logged into Splunk? And lastly, ofcourse we know how to do this.. You provide the correct information and we provide the correct solution <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 23 Feb 2018 21:37:00 GMT https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310953#M93235 skoelpin 2018-02-23T21:37:00Z https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310954#M93236 <P>Depending on your infrastructure, the following <EM>may</EM> work:</P> <PRE><CODE>index=_internal sourcetype=splunkd_ui_access [| rest /services/authentication/current-context splunk_server=local | stats values(username) AS search | format ] | head 1 | stats list(clientip) AS clientip </CODE></PRE> <P>The subsearch will return the username of the user who is currently logged in. It uses that to search across <CODE>splunkd_ui_access</CODE> logs and extracts the <CODE>clientip</CODE> from the latest matching one.</P> <P>However, this doesn't work at all on my system, because we have a proxy on our Splunk server, which means this returns 127.0.0.1 for every user. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> So your mileage may vary.</P> Fri, 23 Feb 2018 22:37:43 GMT https://community.splunk.com/t5/Splunk-Search/IP-address-of-current-user/m-p/310954#M93236 elliotproebstel 2018-02-23T22:37:43Z