All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When creating an alert, why do I receive "Error in 'inputlookup' command: This command is not supported in a real-time search" message?

prclimaco
New Member
‎01-05-2017 02:32 PM

We are trying to create an alert when 911 is called. For testing purposes, we made a call from our cell phone and run the search manually from Browse->Calls and the report returns the cell phone call we made. When then save this as an Alert to e-mail when that number is called. We then call again, and we never get an e-mail from the alert that was created. We have tested the e-mail function in Splunk and other e-mails alerts are working from other applications, so we believe or e-mail settings are correct.

When we open up the saved report (alert), it shows the following error: Error in 'inputlookup' command: This command is not supported in a real-time search.

Can anyone help us create our 911 alert? Thanks!

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-21-2017 12:19 PM

@prclimaco - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 07:26 PM

Hi prlimaco,

I think can try using the append argument in the inputlookup command.

| inputlookup append=true ...

Hope it works. Thanks!
Hunter

0 Karma
Reply

niketn
Legend
‎01-05-2017 07:17 PM

Set append=true for inputlookup if you want to use the same in real-time search. This implies that inputlookup will override the current set of results. Refer to following answer on the same.

https://answers.splunk.com/answers/205777/how-to-use-inputlookup-with-realtime-search.html

Also append=true option with example is explained on Splunk docs:https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Inputlookup

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...