All Apps and Add-ons

InfoSec App External IPs including 1918 Addresses

moogmusic
Path Finder

I've just been reviewing the Firewalls dashboard in the Continuous Monitoring section of the InfoSec app - the search that powers the External Source and Destination IP counts is this:

| tstats summariesonly=true allow_old_summaries=true dc(All_Traffic.src_ip) from datamodel=Network_Traffic where All_Traffic.src_ip!=10.0.0.0/8 All_Traffic.src_ip!=192.168.0.0/16 All_Traffic.src_ip!=172.16.0.0/12

If change dc(All_Traffic.src_ip) to values(All_Traffic.src_ip), the list of IPs generated includes all our 10.0.0.0/8 addresses - I've seen this problem with other tstats network searches I've tried to run and thought I wasn't formatting the search properly but there's clearly an issue with the All_Traffic.src_ip!=10.0.0.0/8 filter

Anyone else seen this/got a solution?

Thanks

Labels (1)
0 Karma
1 Solution

moogmusic
Path Finder

Turns out this is not implemented until 7.3 and we're running 7.2.9.

View solution in original post

0 Karma

moogmusic
Path Finder

Turns out this is not implemented until 7.3 and we're running 7.2.9.

0 Karma
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...