Re: Anyone used the IP Quality Score Add-On?

jhilton90 · ‎07-26-2022

Does anyone have any experience using the IP Quality Score add-on in Splunk? I've been given very little information on how to actually run searches in the add-on and so far im not getting any results.

For instance I'm trying to use the IP Detection commands on our web traffic logs but I'm not getting any results. I just keep getting an error saying:

Exception at "/opt/splunk/etc/apps/TA-ipqualityscore/bin/ipdetection.py", line 127 : There are no events with ip field.

IPQualityScore · ‎07-14-2025

Hi All - A new version of the IPQS Splunk plugin is now available, which fixes the past issues.

https://splunkbase.splunk.com/app/5423

Please let us know if you encounter any new errors, we'll be happy to investigate.

You can also message support@ipqualityscore.com.

keenerms · ‎05-22-2024

Did you ever find a solution to this? We're having the same problem two years later.

I just sat down with the IPQS team and demonstrated the issue. They took the same data set and it ran flawlessly in their environment, so it's not the content of the field. We're currently trying to determine if our Splunk config is different than theirs and somehow causing this issue.

jhilton90 · ‎05-22-2024

So we did manage to get this working with help from the guy who built the addon. I'll give you an example of a Splunk query that helped me

index="example" #This is our authentication index
| table username
| eval username_email=if(match(username,"[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}"),username,null())
| where isnotnull (username_email)
| table username_email
| emailvalidation field="username_email"

IPQualityScore · ‎09-01-2023

Hi Everyone - The error below indicates that the field containing the IP address does not exists in the events. The custom command is looking for a field supplied via "field" attribute to the "ipdetection" command. Please make sure you have the correct "field" value specified.

For example:

... | ipdetection field=ip // sample usage when ip field contains IP address value

... | rex field=_raw "(?<ip_address>d{1,3}.d{1,3}.d{1,3}.d{1,3})" | ipdetection field=ip_address // sample usage when you need to extract IP address from raw event

Additional command options can be found in the documentation https://ta-ipqualityscore.readthedocs.io/en/latest/ipdetection.html

Please feel free to reach out if you experience any issues: support@ipqualityscore.com

jviray · ‎04-09-2024

Even using a field that has defined IP values doesn't work and returned the following error:

"Streamed search execute failed because: Error in 'ipdetection' command: External search command exited unexpectedly with non-zero error code 1.."

This works but you can't pass values to it within a query:

| ipqualityscore field="IP Address" value="8.8.8.8"

bcsfullsail · ‎12-16-2022

Did you figure anything out with that error? We have the same issue.

jhilton90 · ‎12-19-2022

What data are you working with?

Anyone used the IP Quality Score Add-On?

using Splunk Cloud

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation