https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406649#M117499 <P>How to correct this SPL to avoid this error</P> <PRE><CODE>index=win EventCode=528 OR EventCode=4624 LogonType=2 | fields Account_Name [ | inputlookup identities_1 | inputlookup append=true identities_2 | inputlookup append=true identities_3 | rename identity as Account_Name | fields Account_Name watchlist | where watchlist = "true" ] </CODE></PRE> <P>Error in 'fields' command: Invalid argument: 'Account_Name=HELP'</P> Fri, 12 Apr 2019 16:35:02 GMT splunk_zen 2019-04-12T16:35:02Z https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406649#M117499 <P>How to correct this SPL to avoid this error</P> <PRE><CODE>index=win EventCode=528 OR EventCode=4624 LogonType=2 | fields Account_Name [ | inputlookup identities_1 | inputlookup append=true identities_2 | inputlookup append=true identities_3 | rename identity as Account_Name | fields Account_Name watchlist | where watchlist = "true" ] </CODE></PRE> <P>Error in 'fields' command: Invalid argument: 'Account_Name=HELP'</P> Fri, 12 Apr 2019 16:35:02 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406649#M117499 splunk_zen 2019-04-12T16:35:02Z https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406650#M117500 <P>Try this-</P> <PRE><CODE> index=win EventCode=528 OR EventCode=4624 LogonType=2 | fields Account_Name [ | inputlookup identities_1 | inputlookup append=true identities_2 | inputlookup append=true identities_3 | rename identity as Account_Name | fields Account_Name watchlist | where watchlist = "true" | return $Account_Name ] </CODE></PRE> Fri, 12 Apr 2019 16:41:05 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406650#M117500 Vijeta 2019-04-12T16:41:05Z https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406651#M117501 <P>Unfortunately it doesn't work.<BR /> Adding $Account_Name yields 0 results</P> Wed, 17 Apr 2019 14:02:29 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406651#M117501 splunk_zen 2019-04-17T14:02:29Z https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406652#M117502 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1854">@splunk_zen</a>, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.</P> <PRE><CODE>index=win EventCode=528 OR EventCode=4624 LogonType=2 [| inputlookup identities_1 where watchlist = "true" | inputlookup append=true identities_2 where watchlist = "true" | inputlookup append=true identities_3 where watchlist = "true" | rename identity as Account_Name | table Account_Name] </CODE></PRE> Wed, 30 Sep 2020 00:12:21 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406652#M117502 niketn 2020-09-30T00:12:21Z https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406653#M117503 <P>Issue was really on the dumb first <BR /> | fields argument</P> <P>different lookups are non relevant to this but required as we're using the ldapsearch command to fetch ldapoutputs from several domains</P> Fri, 19 Apr 2019 11:31:13 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-fields-command-Invalid-argument-Account-Name-HELP/m-p/406653#M117503 splunk_zen 2019-04-19T11:31:13Z