All Apps and Add-ons

AbuseIPdb_check syntax and usage- Help with AbuseePDB API key


The Splunk app AbuseIPdb_check ( is not working as expected after copying the config.json file to this app's local directory and putting my AbuseIPDB API key.

I have tried with syntax as below - 

| makeresults | eval ip="" | abuseip ipfield=ip

| makeresults | eval ip="" |abuseip(ip)

The error on Splunk web is -- Error in 'script': Get info probe failed for external search command 'abuseip'. 

i did not find anything relevant as a pointer when checked in Splunk _internal logs for this. 

Under all configuration "abuseip" is mentioned as config type - command with enabled status and global sharing permissions. 


Has it worked for anyone? any direction/solution pointer would be appreciable.  

Labels (1)
0 Karma


I am having the same issue. Can't seem to find a solution for this one yet. 

0 Karma


I'm having similar issues, however strangely enough there are a few times where the script actually works. 
Here is the command that worked (works randomly) for me:

syntax = | abuseip ipfield=<insert field name> 
example = | abuseip ipfield=destip

As far as the error goes, I was able to find these two sources but non of them helped. Might help you out. 

Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...