Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Error in 'fields' command: Invalid argument: 'Acco...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error in 'fields' command: Invalid argument: 'Account_Name=HELP'
splunk_zen
Builder
04-12-2019
09:35 AM
How to correct this SPL to avoid this error
index=win EventCode=528 OR EventCode=4624 LogonType=2
| fields Account_Name
[ | inputlookup identities_1
| inputlookup append=true identities_2
| inputlookup append=true identities_3
| rename identity as Account_Name
| fields Account_Name watchlist
| where watchlist = "true"
]
Error in 'fields' command: Invalid argument: 'Account_Name=HELP'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-19-2019
02:22 AM
@splunk_zen, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.
index=win EventCode=528 OR EventCode=4624 LogonType=2
[| inputlookup identities_1 where watchlist = "true"
| inputlookup append=true identities_2 where watchlist = "true"
| inputlookup append=true identities_3 where watchlist = "true"
| rename identity as Account_Name
| table Account_Name]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_zen
Builder
04-19-2019
04:31 AM
Issue was really on the dumb first
| fields argument
different lookups are non relevant to this but required as we're using the ldapsearch command to fetch ldapoutputs from several domains
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
04-12-2019
09:41 AM
Try this-
index=win EventCode=528 OR EventCode=4624 LogonType=2
| fields Account_Name
[ | inputlookup identities_1
| inputlookup append=true identities_2
| inputlookup append=true identities_3
| rename identity as Account_Name
| fields Account_Name watchlist
| where watchlist = "true" | return $Account_Name
]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk_zen
Builder
04-17-2019
07:02 AM
Unfortunately it doesn't work.
Adding $Account_Name yields 0 results
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
