All Apps and Add-ons

InfoSec App External IPs including 1918 Addresses

moogmusic
Path Finder

I've just been reviewing the Firewalls dashboard in the Continuous Monitoring section of the InfoSec app - the search that powers the External Source and Destination IP counts is this:

| tstats summariesonly=true allow_old_summaries=true dc(All_Traffic.src_ip) from datamodel=Network_Traffic where All_Traffic.src_ip!=10.0.0.0/8 All_Traffic.src_ip!=192.168.0.0/16 All_Traffic.src_ip!=172.16.0.0/12

If change dc(All_Traffic.src_ip) to values(All_Traffic.src_ip), the list of IPs generated includes all our 10.0.0.0/8 addresses - I've seen this problem with other tstats network searches I've tried to run and thought I wasn't formatting the search properly but there's clearly an issue with the All_Traffic.src_ip!=10.0.0.0/8 filter

Anyone else seen this/got a solution?

Thanks

Labels (1)
0 Karma
1 Solution

moogmusic
Path Finder

Turns out this is not implemented until 7.3 and we're running 7.2.9.

View solution in original post

0 Karma

moogmusic
Path Finder

Turns out this is not implemented until 7.3 and we're running 7.2.9.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>