AbuseIPdb_check syntax and usage- Help with Abuse...

cybermonday · ‎02-09-2021

The Splunk app AbuseIPdb_check (https://splunkbase.splunk.com/app/4903) is not working as expected after copying the config.json file to this app's local directory and putting my AbuseIPDB API key.

I have tried with syntax as below - 

| makeresults | eval ip="94.201.237.206" | abuseip ipfield=ip

| makeresults | eval ip="94.201.237.206" |abuseip(ip)

The error on Splunk web is -- Error in 'script': Get info probe failed for external search command 'abuseip'.

i did not find anything relevant as a pointer when checked in Splunk _internal logs for this.

Under all configuration "abuseip" is mentioned as config type - command with enabled status and global sharing permissions.

Has it worked for anyone? any direction/solution pointer would be appreciable.

theSOCguy · ‎10-26-2022

I am having the same issue. Can't seem to find a solution for this one yet.

code_assassin · ‎10-26-2022

I'm having similar issues, however strangely enough there are a few times where the script actually works.
Here is the command that worked (works randomly) for me:

syntax = | abuseip ipfield=<insert field name>
example = | abuseip ipfield=destip

As far as the error goes, I was able to find these two sources but non of them helped. Might help you out.
https://community.splunk.com/t5/Security/getinfo-probe-failed-for-external-search-command-a-rights-i...
https://community.splunk.com/t5/Building-for-the-Splunk-Platform/Custom-command-Getinfo-probe-failed...

AbuseIPdb_check syntax and usage- Help with AbuseePDB API key

administration

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms