Skip to main content
Sumo Logic

Lab 6: Create an alert

  1. Last updated
  2. Save as PDF
Now that we have our dashboard and search in place, let's schedule an email alert to let us know when there's an important event in our data.

Create an alert

Now that you know how to search through data and understand your data, we can create an alert. Alerts allow you to monitor trends in your data.

For the purposes of this tutorial, let's create an email alert. To do that we'll schedule the search we just created.

  1. In the Apache Overview dashboard, go to the Visitor Locations panel, click the details icon clipboard_ea32e43b6fecef1d647f22cb698a6a326.png and select Open in Search as shown below:
    clipboard_e10bdcd64b509ca7b99eead2e5ff8ee61.png
  2. Let's select our Visitor Locations Search tab
    clipboard_e05662c8e2906ee8f7ef0131c4b7bfa22.png
    and click on the More Actions icon clipboard_e74c76b723ea86ef00f995e115a50e592.png then click Save As.
    clipboard_ef12601daaf016880ba7cecf81915b040.png
     
  3. Let's keep the default settings, and click Schedule this Search
    clipboard_e6386a745c6c122566737dae141025681.png
  4. Next, select Every 15 minutes as the Run Frequency.Run Frequency
  5. You will see the options for alerts in the Save Item window.
    Tutorial Save Item.png
  6. Set the following fields:
    1. Run Frequency. Every 15 minutes. The search will run every 15 minutes at :00, :15, :30, and :45
    2. Time range for scheduled search. Let's set this for Last 3 Hours.
    3. Timezone for scheduled search. This option is great when your source logs are in another timezone but for now, let's leave this at GMT-8:00.
    4. Send Notification. Select Every time a search is complete. You will get an email with search results every 15 minutes based on the selection you made in Run frequency.
    5. Alert Type. Select Email
    6. Send email on failure to search owner. This option is selected by default, but let's unselect the option for this tutorial.
    7. Recipients. Put your own email address. Don't copy my happy_sumo_user@sumologic.com address.
    8. Email Subject. Lets use some variables to make the subject meaningful to you:  
      {{SearchName}} {{FireTime}} {{NumRawResults}}
    9. This will give you a subject line with the name of the saved search, the time that the search ran, and the number of raw messages returned by the search.
    10. Include in email. Choose Results as a CSV attachment to get a CSV file of the results to go with your alert.  (The maximum CSV file size allowed is 5MB or 1,000 results. )
  7. Click Save.
    Soon, you should see your first email alert:
    clipboard_e67e9944070856714f464f422413a7db4.png

    And, also a CSV file named with the search name and timestamp:clipboard_e49bc70560df822e227fdbd076f463341.png
  8. To turn the alert off, open the corresponding query in the Search view, select Edit, then Edit this Search's Schedule:Edit Scheduld Search.jpg
  9. Select Never from the Run frequency dropdown selector, and Update to confirm the changes:RunFrequencyToNever.jpg