Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

splunk_zen
Builder
‎04-12-2019 09:35 AM

How to correct this SPL to avoid this error

index=win EventCode=528 OR EventCode=4624 LogonType=2 
| fields Account_Name
[ | inputlookup identities_1
 | inputlookup append=true identities_2
 | inputlookup append=true identities_3
|  rename identity as Account_Name
|  fields Account_Name watchlist
|  where watchlist = "true"    
]

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

0 Karma
Reply

niketn
Legend
‎04-19-2019 02:22 AM

@splunk_zen, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.

index=win EventCode=528 OR EventCode=4624 LogonType=2 
    [| inputlookup identities_1 where watchlist = "true" 
    | inputlookup append=true identities_2 where watchlist = "true" 
    | inputlookup append=true identities_3 where watchlist = "true" 
    | rename identity as Account_Name 
    | table Account_Name]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

splunk_zen
Builder
‎04-19-2019 04:31 AM

Issue was really on the dumb first
| fields argument

different lookups are non relevant to this but required as we're using the ldapsearch command to fetch ldapoutputs from several domains

0 Karma
Reply

Vijeta
Influencer
‎04-12-2019 09:41 AM

Try this-

 index=win EventCode=528 OR EventCode=4624 LogonType=2 
 | fields Account_Name
 [ | inputlookup identities_1
  | inputlookup append=true identities_2
  | inputlookup append=true identities_3
 |  rename identity as Account_Name
 |  fields Account_Name watchlist
 |  where watchlist = "true" | return $Account_Name   
 ]
Reply

splunk_zen
Builder
‎04-17-2019 07:02 AM

Unfortunately it doesn't work.
Adding $Account_Name yields 0 results

0 Karma
Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...