Solved: Issue with having same client ip address

haripriyasarve1 · ‎10-28-2020

Hi Everyone,

I need to create a dashboard to know from which location the user is accessing the splunkweb.

The issue is in my splunk _internal webaccess logs , every log has same ipaddress as 127.0.0.1

How to change this configuration and how to know from which location the user is accessing the splunk web.

Thanks in advance.

isoutamo · ‎10-28-2020

Hi

You could try this:

index=_internal sourcetype=splunkd_ui_access user=* clientip=* source="*/var/log/splunk/splunkd_ui_access.log" 
| stats latest_time(_time) as _time values(clientip) by user

r. Ismo

View solution in original post

isoutamo · ‎10-28-2020

Hi

You could try this:

index=_internal sourcetype=splunkd_ui_access user=* clientip=* source="*/var/log/splunk/splunkd_ui_access.log" 
| stats latest_time(_time) as _time values(clientip) by user

r. Ismo

haripriyasarve1 · ‎10-31-2020

Thank you

richgalloway · ‎10-28-2020

What query are you using to find accesses? Where are you getting the data?

---
If this reply helps you, Karma would be appreciated.

haripriyasarve1 · ‎10-28-2020

I am using the below query to see get the list of users and their ipaddress for the app they are using.

index=_internal source=*web_access.log* "*appname*"
|table clientip user

isoutamo · ‎10-29-2020

This probably will give always to 127.0.0.1 to you. So better to use sourcetype=splunkd_ui_access user=* clientip=* source="*/var/log/splunk/splunkd_ui_access.log" to get those IP's which are used to connect to splunk web ui. BUT if you are using LB in front of you SHC, then this is probably that address, not the real user's ip.

Issue with having same client ip address

administration

Analytics Workspace

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!