LoFP / retrieving server information may be a legitimate api request. verify that the attempt is a valid request for information.

index=_internal sourcetype=splunkd_ui_access server-info 
| search clientip!=127.0.0.1 uri_path="*raw/services/server/info/server-info" 
| rename clientip as src_ip, splunk_server as dest 
| stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_enterprise_information_disclosure_filter`