I'm trying to correlate user/department from AD against some security logs that contain username in "User_Name" . I'm doing some field extractions because that field is in the format domain\username and there isn't a field that I've seen in our AD based on LDAPsearch in that format. The query and the error that I'm getting are below. I haven't been able to find any information on this error. host=<Host> | eval fld_username=if(substr(User_Name,1,len("Domain"))=="Domain",substr(User_Name,len("Domain\\")+1,len(User_Name)),"false")|ldapfilter domain=default search="(&(objectclass=user) (mailNickname=$fld_username$))" External search command 'ldapfilter' returned error code 1. Script output = " ERROR "00002120: SvcErr: DSID-031404AF, problem 5012 (DIR_ERROR), data 0 " ... View more