Scheduled Searches
Scheduled searches are standard saved searches that are executed on a schedule you set. Once configured, scheduled searches run continuously, making them a great tool for continuously monitoring your stack. For instructions, see Schedule a Search.
Scheduled Search Alert Types
When you create a scheduled search, you can configure several different alert types including email, Script Action, ServiceNow Connection, Webhook, Save to Index, Real Time Alerts, and Cloud SIEM Enterprise (CSE) Signals.
Email
You can create a scheduled search to alert you with an email when a set of conditions are satisfied. A maximum of 120 emails are sent per day per scheduled search. For instructions, see Create an Email Alert.
Script Action
A Script Action is a Source type that receives data uploads triggered by a scheduled search. The script you create defines how data is consumed; for example, you could fire SNMP traps based on the result of the search. After setting up a Script Action, create a scheduled search. Each time the search query executes, the Collector runs the script configured in the Script Action. For instructions, see Script Action.
You need the View Collectors role capability to alert with a Script Action.
ServiceNow Connection
Existing customers of both ServiceNow and Sumo Logic can now take advantage of the integration between the services. With this integration, search results from Sumo Logic are uploaded to your organization's ServiceNow account, allowing your organization to investigate issues across your deployment.
The main way data is uploaded to ServiceNow is through the use of scheduled searches. After saving a search, results are available in ServiceNow. Additionally, you can launch ad-hoc ServiceNow investigations using search results in Sumo Logic. For instructions, see ServiceNow.
Webhook
Webhook connections allow you to send Sumo Logic alerts to third-party applications that accept incoming webhooks. For example, once you set up a Webhook connection in Sumo Logic, and create a scheduled search, then you can send an alert from that scheduled search as a post to a Slack channel, or integrate with third-party systems. For instructions, see Scheduled Searches for Webhook Connections.
Save to Index
When you create a Scheduled Search, you can save the results to an Index. This way, your data can be searched at a later time using _index=index_name
with increased search performance. For instructions, see Save to Index.
Save to Lookup
When you create a Scheduled Search, you can save the results to a Lookup Table. This way, you can view the results of the scheduled search from the Library by viewing the Lookup Table the search results were saved to. You can use the lookup operator to enrich other log data with the information from the Lookup Table. For instructions, see Save to Lookup.
Real Time Alerts
Real Time Alerts are scheduled searches that run nearly continuously. That means that you're informed in real time when error conditions exist.
When an alert condition is satisfied, Sumo Logic sends an email (or triggers a script action). Sumo Logic examines ingested data in a rolling window using the Time Range you define. Any time a new result is found, another email is sent. For instructions, see Create a Alert.
CSE Signal
You can trigger the creation of a CSE Signal with a scheduled search. Signals are otherwise generated when the conditions of a CSE rule are satisfied by a Record. Signals are correlated with other Signals to create a CSE Insight. For instructions, see Generate CSE Signals With a Scheduled Search.
Guides
Important considerations:
- How to Prevent your Scheduled Search from Timing Out. Scheduled searches cannot run indefinitely. At some point, the query will be timed out to protect the reliability of the service.
- Service Alert: Scheduled Search Email Quota Reached for Search. Sumo Logic implements an email quota allowing 120 emails to be sent per day per scheduled search.
- What Happens When a Scheduled Search Is Suspended? Learn what happens when a Scheduled Search is suspended.
- Why Would a Scheduled Search Fail? Learn how to troubleshoot a failed Scheduled Search.
Fields are returned in lowercase in scheduled search results.
Schedule a Search
Learn how to add alerts and schedule search to run it at a regular scheduled time.
Create an Email Alert
Learn how to create a scheduled search email alert.
Create a Real-Time Alert
Learn how to create an alert to get notified in real-time when error conditions exist.
Edit or Cancel a Scheduled Search
Learn how to edit or cancel a scheduled search at any time.
Receive Email Alerts from Scheduled sources
Learn how to set up and receive email alerts about scheduled searches.
Generate CSE Signals With a Scheduled Search
Learn how to create a scheduled search that will trigger a Cloud SIEM Enterprise (CSE) Signal.
Run a Search from an Alert Email
Learn how to receive an email created by an email alert in a scheduled search.
Save to Index
Learn how to save the results to an Index after creating a scheduled search email alert.
Save to Lookup
Learn how to save the results of a scheduled search to a Lookup Table.
FAQ
Go through frequently asked questions about scheduled searches and troubleshooting tips.