Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

splunk_zen
Builder
‎04-12-2019 09:35 AM

How to correct this SPL to avoid this error

index=win EventCode=528 OR EventCode=4624 LogonType=2 
| fields Account_Name
[ | inputlookup identities_1
 | inputlookup append=true identities_2
 | inputlookup append=true identities_3
|  rename identity as Account_Name
|  fields Account_Name watchlist
|  where watchlist = "true"    
]

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

0 Karma
Reply

niketn
Legend
‎04-19-2019 02:22 AM

@splunk_zen, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.

index=win EventCode=528 OR EventCode=4624 LogonType=2 
    [| inputlookup identities_1 where watchlist = "true" 
    | inputlookup append=true identities_2 where watchlist = "true" 
    | inputlookup append=true identities_3 where watchlist = "true" 
    | rename identity as Account_Name 
    | table Account_Name]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

splunk_zen
Builder
‎04-19-2019 04:31 AM

Issue was really on the dumb first
| fields argument

different lookups are non relevant to this but required as we're using the ldapsearch command to fetch ldapoutputs from several domains

0 Karma
Reply

Vijeta
Influencer
‎04-12-2019 09:41 AM

Try this-

 index=win EventCode=528 OR EventCode=4624 LogonType=2 
 | fields Account_Name
 [ | inputlookup identities_1
  | inputlookup append=true identities_2
  | inputlookup append=true identities_3
 |  rename identity as Account_Name
 |  fields Account_Name watchlist
 |  where watchlist = "true" | return $Account_Name   
 ]
Reply

splunk_zen
Builder
‎04-17-2019 07:02 AM

Unfortunately it doesn't work.
Adding $Account_Name yields 0 results

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top