Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

splunk_zen
Builder
‎04-12-2019 09:35 AM

How to correct this SPL to avoid this error

index=win EventCode=528 OR EventCode=4624 LogonType=2 
| fields Account_Name
[ | inputlookup identities_1
 | inputlookup append=true identities_2
 | inputlookup append=true identities_3
|  rename identity as Account_Name
|  fields Account_Name watchlist
|  where watchlist = "true"    
]

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

0 Karma
Reply

niketn
Legend
‎04-19-2019 02:22 AM

@splunk_zen, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.

index=win EventCode=528 OR EventCode=4624 LogonType=2 
    [| inputlookup identities_1 where watchlist = "true" 
    | inputlookup append=true identities_2 where watchlist = "true" 
    | inputlookup append=true identities_3 where watchlist = "true" 
    | rename identity as Account_Name 
    | table Account_Name]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

splunk_zen
Builder
‎04-19-2019 04:31 AM

Issue was really on the dumb first
| fields argument

different lookups are non relevant to this but required as we're using the ldapsearch command to fetch ldapoutputs from several domains

0 Karma
Reply

Vijeta
Influencer
‎04-12-2019 09:41 AM

Try this-

 index=win EventCode=528 OR EventCode=4624 LogonType=2 
 | fields Account_Name
 [ | inputlookup identities_1
  | inputlookup append=true identities_2
  | inputlookup append=true identities_3
 |  rename identity as Account_Name
 |  fields Account_Name watchlist
 |  where watchlist = "true" | return $Account_Name   
 ]
Reply

splunk_zen
Builder
‎04-17-2019 07:02 AM

Unfortunately it doesn't work.
Adding $Account_Name yields 0 results

0 Karma
Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...
Top