and with the first command, index=internal xx.xx.xx.xx, i get:
1/12/15
7:43:52.260 PM
192.168.48.247 - admin [12/Jan/2015:19:43:52.260 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D%22_audi%22+54.174.120.69&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1421091322744 HTTP/1.0" 200 641 "https://prd-p-c325dgfktbm7.cloud.splunk.com/en-US/app/search/search?q=search%20index%3D%22_audit%22%2054.174.120.69&earliest=&latest=&display.page.search.tab=events&sid=1421091825.12991" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36" - 54b423f8427f421431a250 20ms
host = ip-192-168-16-190 source = /opt/splunk/var/log/splunk/web_access.log sourcetype = splunk_web_access
1/12/15
7:43:46.729 PM
01-12-2015 19:43:46.729 +0000 INFO StatusMgr - destPort=9997, eventType=connect_close, group=tcpin_connections, sourceHost=54.174.120.69, sourceIp=54.174.120.69, sourcePort=33886, statusee=TcpInputProcessor
host = ip-192-168-16-190 source = /opt/splunk/var/log/splunk/metrics.log sourcetype = splunkd
1/12/15
7:43:46.707 PM
01-12-2015 19:43:46.707 +0000 INFO StatusMgr - destPort=9997, eventType=connect_done, group=tcpin_connections, sourceHost=54.174.120.69, sourceIp=54.174.120.69, sourcePort=33886, statusee=TcpInputProcessor
host = ip-192-168-16-190 source = /opt/splunk/var/log/splunk/metrics.log sourcetype = splunkd
... View more