Splunk Search

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

Builder

How to correct this SPL to avoid this error

index=win EventCode=528 OR EventCode=4624 LogonType=2 
| fields Account_Name
[ | inputlookup identities_1
 | inputlookup append=true identities_2
 | inputlookup append=true identities_3
|  rename identity as Account_Name
|  fields Account_Name watchlist
|  where watchlist = "true"    
]

Error in 'fields' command: Invalid argument: 'Account_Name=HELP'

0 Karma

SplunkTrust
SplunkTrust

@splunk_zen, you can try the following, however, I would want to know as to why you have three lookups identities_1, identities_2 and identities_3. I have moved watchlist filter to inputlookup command itself assuming all three lookups have this field.

index=win EventCode=528 OR EventCode=4624 LogonType=2 
    [| inputlookup identities_1 where watchlist = "true" 
    | inputlookup append=true identities_2 where watchlist = "true" 
    | inputlookup append=true identities_3 where watchlist = "true" 
    | rename identity as Account_Name 
    | table Account_Name]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

Issue was really on the dumb first
| fields argument

different lookups are non relevant to this but required as we're using the ldapsearch command to fetch ldapoutputs from several domains

0 Karma

Influencer

Try this-

 index=win EventCode=528 OR EventCode=4624 LogonType=2 
 | fields Account_Name
 [ | inputlookup identities_1
  | inputlookup append=true identities_2
  | inputlookup append=true identities_3
 |  rename identity as Account_Name
 |  fields Account_Name watchlist
 |  where watchlist = "true" | return $Account_Name   
 ]

Builder

Unfortunately it doesn't work.
Adding $Account_Name yields 0 results

0 Karma