I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.
| from datamodel:IntrusionDetection
[| inputlookup internalip | rename ip as src]