All Apps and Add-ons

incorrect public IP displayed with sourcetype=quantum

goldtop_66
Explorer

The Public IP that is displayed across the top of the Home Network Overview dashboard does not function properly for sourcetype = quantum. The search is coded as follows:

index=homemonitor sourcetype=quantum | where 'not_src_private_ip' | top 1 src_ip AS my_ip

The Quantum firewalls do not provide the desired data that way in the syslogs. The proper way to extract the public IP is to find a BLOCKED event, and then take the DST field (destination IP). For blocked events, the firewall reports the blocked (incoming) IP address in the SRC field, and the public IP of the firewall itself in the DST field.

In ACCEPTED events, the SRC field is the local IP address and the DST field is the incoming IP address of the accepted connection.

Tags (1)
0 Karma

amiracle
Splunk Employee
Splunk Employee

I'm aware of this issue and have a fix lined up for the next version of the app. The plan is to use a simple script to get the public IP and display it. I'm planning to release the next version shortly.

0 Karma
Get Updates on the Splunk Community!

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...