Hi Everyone,
I need to create a dashboard to know from which location the user is accessing the splunkweb.
The issue is in my splunk _internal webaccess logs , every log has same ipaddress as 127.0.0.1
How to change this configuration and how to know from which location the user is accessing the splunk web.
Thanks in advance.
Hi
You could try this:
index=_internal sourcetype=splunkd_ui_access user=* clientip=* source="*/var/log/splunk/splunkd_ui_access.log"
| stats latest_time(_time) as _time values(clientip) by user
r. Ismo
Hi
You could try this:
index=_internal sourcetype=splunkd_ui_access user=* clientip=* source="*/var/log/splunk/splunkd_ui_access.log"
| stats latest_time(_time) as _time values(clientip) by user
r. Ismo
Thank you
What query are you using to find accesses? Where are you getting the data?
I am using the below query to see get the list of users and their ipaddress for the app they are using.
index=_internal source=*web_access.log* "*appname*"
|table clientip user