We are trying to create an alert when 911 is called. For testing purposes, we made a call from our cell phone and run the search manually from Browse->Calls and the report returns the cell phone call we made. When then save this as an Alert to e-mail when that number is called. We then call again, and we never get an e-mail from the alert that was created. We have tested the e-mail function in Splunk and other e-mails alerts are working from other applications, so we believe or e-mail settings are correct.
When we open up the saved report (alert), it shows the following error: Error in 'inputlookup' command: This command is not supported in a real-time search.
Can anyone help us create our 911 alert? Thanks!
@prclimaco - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
Hi prlimaco,
I think can try using the append argument in the inputlookup command.
| inputlookup append=true ...
Hope it works. Thanks!
Hunter
Set append=true for inputlookup if you want to use the same in real-time search. This implies that inputlookup will override the current set of results. Refer to following answer on the same.
https://answers.splunk.com/answers/205777/how-to-use-inputlookup-with-realtime-search.html
Also append=true option with example is explained on Splunk docs:https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Inputlookup