Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

splunk_zen
Builder
‎04-12-2019 09:35 AM

How to correct this SPL to avoid this error

index=win EventCode=528 OR EventCode=4624 LogonType=2 
| fields Account_Name
[ | inputlookup identities_1
 | inputlookup append=true identities_2
 | inputlookup append=true identities_3
|  rename identity as Account_Name
|  fields Account_Name watchlist
|  where watchlist = "true"    
]

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

0 Karma
Reply

niketn
Legend
‎04-19-2019 02:22 AM

@splunk_zen, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.

index=win EventCode=528 OR EventCode=4624 LogonType=2 
    [| inputlookup identities_1 where watchlist = "true" 
    | inputlookup append=true identities_2 where watchlist = "true" 
    | inputlookup append=true identities_3 where watchlist = "true" 
    | rename identity as Account_Name 
    | table Account_Name]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

splunk_zen
Builder
‎04-19-2019 04:31 AM

Issue was really on the dumb first
| fields argument

different lookups are non relevant to this but required as we're using the ldapsearch command to fetch ldapoutputs from several domains

0 Karma
Reply

Vijeta
Influencer
‎04-12-2019 09:41 AM

Try this-

 index=win EventCode=528 OR EventCode=4624 LogonType=2 
 | fields Account_Name
 [ | inputlookup identities_1
  | inputlookup append=true identities_2
  | inputlookup append=true identities_3
 |  rename identity as Account_Name
 |  fields Account_Name watchlist
 |  where watchlist = "true" | return $Account_Name   
 ]
Reply

splunk_zen
Builder
‎04-17-2019 07:02 AM

Unfortunately it doesn't work.
Adding $Account_Name yields 0 results

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top