Anyone used the IP Quality Score Add-On?

jhilton90 · ‎07-26-2022

Does anyone have any experience using the IP Quality Score add-on in Splunk? I've been given very little information on how to actually run searches in the add-on and so far im not getting any results.

For instance I'm trying to use the IP Detection commands on our web traffic logs but I'm not getting any results. I just keep getting an error saying:

Exception at "/opt/splunk/etc/apps/TA-ipqualityscore/bin/ipdetection.py", line 127 : There are no events with ip field.

IPQualityScore

Hi Everyone - The error below indicates that the field containing the IP address does not exists in the events. The custom command is looking for a field supplied via "field" attribute to the "ipdetection" command. Please make sure you have the correct "field" value specified.

For example:

... | ipdetection field=ip // sample usage when ip field contains IP address value

... | rex field=_raw "(?<ip_address>d{1,3}.d{1,3}.d{1,3}.d{1,3})" | ipdetection field=ip_address // sample usage when you need to extract IP address from raw event

Additional command options can be found in the documentation https://ta-ipqualityscore.readthedocs.io/en/latest/ipdetection.html

Please feel free to reach out if you experience any issues: support@ipqualityscore.com

bcsfullsail · ‎12-16-2022

Did you figure anything out with that error? We have the same issue.

jhilton90 · ‎12-19-2022

What data are you working with?

Anyone used the IP Quality Score Add-On?

other

using Splunk Cloud

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7