Skip to main content

Schedule a Search

When you save a search, you can add a schedule to run it at a regularly scheduled time, and add alerts. For alert types, see Scheduled Searches

To run the scheduled search using receipt time save the search with receipt time enabled.

note

Scheduled searches with a Real Time run frequency do not support the Use Receipt Time option.

You can create a scheduled search at the time you create a search, or edit a saved search later to add a schedule. 

  1. Click Schedule this search on the edit dialog for a search.

    schedule-this-search.png

  2. Select a run frequency. When you make a selection, the additional settings are displayed.

    save-item.png

    note

    Scheduling a run frequency that matches your time range will reduce overlapping of searches and duplicate alerts. When you have a search scheduled to run over the same results as a previously scheduled search you would trigger an alert on the same data. This does not apply to Real Time Alerts, they do not duplicate alerts automatically.

    Run Frequency. Determine how frequently your search should run and the time it should start.

    note
    • Daily and Hourly schedules may be delayed up to 10 minutes past the selected time or interval but will maintain the selected run frequency.
    • 15 minute schedules may be delayed up to 5 minutes past the selected time or interval but will maintain the selected run frequency.
    • For users in timezones that are +/- 30 minutes, the minute is based on UTC. So for customers in the IST timezone, there will be a 30-minute offset. So instead of starting at :00, it will be :30.
    • Custom Cron. Enter a custom CRON expression. The run frequency for a CRON expression must not be less than every 15 minutes. For details, see Cron Examples and Reference
    • Weekly. The search will run every week. You may also select the day of the week that it runs and the time. 
    • Daily. You may also select that your search runs every Day, every Weekday (Mon-Fri) or Weekend (Sat-Sun) and the time. A Daily search will cover exactly 24 hours of activity. You can change the schedule whenever you'd like. Be aware that a scheduled search will run according to the time zone set on your computer at the time you configure the search. For example, if you are in San Francisco and set a search to run at 7:00 AM, it will run at 7:00 AM PST. If you then fly to New York, and your computer resets to EST, when you schedule a new search at 7:00 AM, it will run at 7:00 AM EST. These two searches will run at different times.
    • Every 2, 4, 6, 8, or 12 Hours. The search will run for the first time at the top of the hour you choose. * Hourly. The search will run every hour. We guarantee that hourly searches run every hour but not exactly at :00.
    • Every 15 minutes. The search will run every 15 minutes, but not exactly at :00, :15, :30, and :45.
    • Real Time. Use this option to set up a Real Time Alert. Receipt time is not supported with a Real Time frequency.
    • Never. Choose this option to temporarily turn off a scheduled search.
  3. Time range for scheduled search. Indicates the time range your query will use to execute, which impacts the results generated by the query. Select the Last 24 Hours, to get a daily alert. Otherwise, select the time range you want the scheduled search to be run on. Absolute time range; for example, 06/10/2020 1:00:00 PM to 06/10/2020 2:00:00 PM is not allowed in Scheduled Searches and presents the message like this: Invalid query. Static time range is not allowed for scheduled searches. 

    info

    This setting is different than the Time Range option configured for the Saved Search. The first time range is only used when you run the Saved Search from the Library. This Time Range applies to your Scheduled Search.

    Alternately type a time range; for example, -15m to run the search against data generated in the past 15 minutes. A time range outside the maximum allowed range for a given frequency is not allowed and presents the message like this:

    Invalid query. Max allowed time range for 15 minutes frequency is 1 day

    The maximum allowed time range for different scheduled search frequencies is as below:

    FrequencyMax Allowed Time Range
    Real Time15 minutes
    15 min1 Day
    15 min -1 hour7 Days
    1 hour - 3 hours15 Days
    3 hour - 12 hours30 Days
    More than 12 hoursMore than 30 days

Consider adding an offset to your time range to ensure that all recent events are being indexed and scanned by the search. For example, a range of  -17m -2m would represent a 15 minute time-range offset by 2 minutes.

  1. Timezone for scheduled search. Select the time zone you would like your scheduled search to use. The schedule's time is based on this time zone. This time zone is not related to the time zone of your data. If you don't make a selection, the scheduled search will use the time zone from your browser, which is the default selection

  2. Send Notification. Select the condition for when you want an alert sent.

    • Every time a search is complete. Select this option if you want an email with search results every time the search is run (depending on the frequency, you could get an email every 15 minutes, every hour, or once a day).

    • If the following condition is met. Select this option if you'd like to set up a scheduled search that alerts you to specific events.

      • Number of results. Depending on the search, set a condition to receive an email by the number of results. If your saved search returns log messages, then the alert will use the number of messages you specify. If your query produces aggregate results, the alert will use the number of rows or aggregates (or groups) and will not trigger on the number of raw results. For more control of your query, you can build in a threshold (for example | where _count\> 30) into the Search itself and set the alerts condition here to Greater than 0. That way the query will generate results if the expected condition is met. See this FAQ for an example.

        • Equal to. Choose if there is an exact number of records in a search result at which you want to be notified.
        • Greater than. Choose if you want to be notified only if the search results include greater than the number of messages or groups you set in the text box.
        • Greater than or equal to. Choose if you want to be notified only if the search results include greater than or equal to that number of messages or groups you set in the text box. For example, to ensure you're notified only when the specific query conditions are met, set the Number of results condition to greater than 0.
        • Fewer than. Choose if you want to be notified only if the search results include fewer than the number of messages or groups you set in the text box.
        • Fewer than or equal to. Choose if you want to be notified only if the search results include fewer than or equal to the number of messages or groups you set in the text box.
  3. Alert Type. For details on the available alert types see Scheduled Searches.

Sumo Logic YouTubeSumo Logic Twitter
Legal
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.