All Apps and Add-ons

incorrect public IP displayed with sourcetype=quantum


The Public IP that is displayed across the top of the Home Network Overview dashboard does not function properly for sourcetype = quantum. The search is coded as follows:

index=homemonitor sourcetype=quantum | where 'not_src_private_ip' | top 1 src_ip AS my_ip

The Quantum firewalls do not provide the desired data that way in the syslogs. The proper way to extract the public IP is to find a BLOCKED event, and then take the DST field (destination IP). For blocked events, the firewall reports the blocked (incoming) IP address in the SRC field, and the public IP of the firewall itself in the DST field.

In ACCEPTED events, the SRC field is the local IP address and the DST field is the incoming IP address of the accepted connection.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

I'm aware of this issue and have a fix lined up for the next version of the app. The plan is to use a simple script to get the public IP and display it. I'm planning to release the next version shortly.

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...