I have the workstation name and IP address — how do I find out which users were logged in to the machine (Linux) and Windows, if possible?
What data from that machine does Splunk have? Are you indexing the audit log? Maybe the 'who' command from the Linux TA? It's hard to answer this question without knowing what there is to work with.
Yes I am indexing audit logs.