In splunk cloud we want to monitor failed login attempts against the Splunk cloud searchhead.
This log is visible under index=_audit but with wrong src IP-address
Audit:[timestamp=09-03-2019 08:02:02.041, user=myuser, action=login attempt, info=failed, src=127.0.0.1][n/a]
Audit:[timestamp=09-03-2019 08:56:42.518, user=myuser, action=login attempt, info=succeeded, src=127.0.0.1][n/a]
However, when doing a REST API Call, i do get the correct Ip-adress (masking it in below example)
Audit:[timestamp=09-03-2019 09:05:52.123, user=myuser, action=login attempt, info=succeeded, src=8.8.8.8][n/a]
Any suggestion, or should i do a request to splunk?
I would submit a Support request.