All Apps and Add-ons

When creating an alert, why do I receive "Error in 'inputlookup' command: This command is not supported in a real-time search" message?

prclimaco
New Member

We are trying to create an alert when 911 is called. For testing purposes, we made a call from our cell phone and run the search manually from Browse->Calls and the report returns the cell phone call we made. When then save this as an Alert to e-mail when that number is called. We then call again, and we never get an e-mail from the alert that was created. We have tested the e-mail function in Splunk and other e-mails alerts are working from other applications, so we believe or e-mail settings are correct.

When we open up the saved report (alert), it shows the following error: Error in 'inputlookup' command: This command is not supported in a real-time search.

Can anyone help us create our 911 alert? Thanks!

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@prclimaco - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi prlimaco,

I think can try using the append argument in the inputlookup command.

| inputlookup append=true ...

Hope it works. Thanks!
Hunter

0 Karma

niketn
Legend

Set append=true for inputlookup if you want to use the same in real-time search. This implies that inputlookup will override the current set of results. Refer to following answer on the same.

https://answers.splunk.com/answers/205777/how-to-use-inputlookup-with-realtime-search.html

Also append=true option with example is explained on Splunk docs:https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Inputlookup

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...