Create a Real-Time Alert
Real-Time Alerts are scheduled searches that run nearly continuously. That means that you're informed in real time when error conditions exist.
When an alert condition is satisfied Sumo Logic triggers the selected alert type. Sumo Logic examines ingested data in a rolling window using the Time Range you define. Any time a new result is found, another email is sent.
When to Use
Only use real-time schedules when you know your data is ingested within a few minutes of its creation. The receipt time should be within a few minutes of your log's message time. See how to troubleshoot timestamp discrepancies.
Real-Time Alerts are not duplicated, which means that if a specific raw log message has triggered an alert once already, that same log message will not trigger an alert a second time.
For example, if Message X caused an alert to be sent at Time T, and Sumo Logic detects Message X again at Time T+1, Sumo Logic does not send a second alert at Time T+1. But if Sumo Logic detects Message Y at Time T+1, a new alert is sent, because the root cause is different.
If the time zone of messages is set incorrectly, those logs won't be picked up by Real-Time Alerts.
Configure a Real-Time Alert
To set up a Real-Time Alert:
- Save a search.
- Click Schedule this search.
- Run Frequency. Select Real Time.
- For all other configuration options, see Schedule a Search.
- Click Save.
Limitations
- The time range of a Real-Time Alert must be between 5 and 15 minutes.
- Searching by receipt time is not supported.
- If your search query result is a subset of your previous run's result, a Real-Time Alert will not trigger. It will trigger only when there are new results compared to the previous run.
- A maximum of 120 emails are sent per day per Real-Time Alert.
- Aggregate real-time scheduled searches evaluate the first 1,000 results per search. For Example, if the scheduled search is supposed to return more than 1,000 results, reduce the scope of the search.
- Non-Aggregate real-time scheduled searches evaluate the first 100 results per search. For Example, if the scheduled search is supposed to return more than 100 results, either convert it to aggregate scheduled search or reduce the scope of the search.
- The
_dataTier
search modifier is not supported in Real-Time Alert searches.
Notification Results
The results from your search will vary based on the type of alert selected. The following table shows the differences. The above limitations still apply to this logic:
Alert Type | Results in Notification |
---|---|
Webhook | If the Send a separate alert for each search result checkbox is selected (in step 6), only new results from subsequent searches are sent in the alert payload. Otherwise, all results are sent. |
Save to Index | All results are saved from an aggregate query. Only new results from subsequent searches are saved from a non-aggregate query. |
Save to Lookup | All results are saved. |
Operator limitations
Some queries can not be used in Real-Time Alert searches. Other operators can be used in Real-Time search, but in the search, they must be included after the first "group-by" phrase:
Not supported for Real-Time Alerts Must be added after a "group by" phrase - Count_frequent
- Details
- First, Last - instead use the withtime option, see most_recent and least_recent.
- LogReduce
- Now()
- Outlier will omit the first N (window size) data points in results because those data points are used in the training phase.
- Join
- Parse using
- queryStartTime()
- queryEndTime()
- Save
- Sessionize
- Subquery
- Threat Intel
- Trace
- Timeslice greater than 1 day
- Transactionize
- Accum
- Backshift
- Diff
- Join
- Limit
- RollingStd
- Smooth
- Sort
- Top
- Total
- Transaction By Flow
- Compare With can be used when your query's aggregate operation is grouped by a timeslice. See number 2, below, for details.
Real time queries using time compare need to have at least three timeslices within its time range. For example, if the time range is 10 minutes, your timeslices need to be no longer than 3 minutes so that there are at least three of them.