This has been address in a couple of different threads, but try starting here:
I'm also planning to install UF to my DMZ Servers and I need to monitor who is accessing my DMZ Servers from internal/external source. What would be the best Search Command to execute in Splunk Web Interface?
Can you tell me what search value I need to execute in order to tell who is accessing my Web Server?