All Apps and Add-ons

incorrect public IP displayed with sourcetype=quantum

goldtop_66
Explorer

The Public IP that is displayed across the top of the Home Network Overview dashboard does not function properly for sourcetype = quantum. The search is coded as follows:

index=homemonitor sourcetype=quantum | where 'not_src_private_ip' | top 1 src_ip AS my_ip

The Quantum firewalls do not provide the desired data that way in the syslogs. The proper way to extract the public IP is to find a BLOCKED event, and then take the DST field (destination IP). For blocked events, the firewall reports the blocked (incoming) IP address in the SRC field, and the public IP of the firewall itself in the DST field.

In ACCEPTED events, the SRC field is the local IP address and the DST field is the incoming IP address of the accepted connection.

Tags (1)
0 Karma

amiracle
Splunk Employee
Splunk Employee

I'm aware of this issue and have a fix lined up for the next version of the app. The plan is to use a simple script to get the public IP and display it. I'm planning to release the next version shortly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...