Tutorial Step 8: Create a Scheduled Search Email Alert (deprecated)

You can schedule a search at the same time you save it, or schedule it later from the Library. Here, let's create a new search, save it, and schedule it.

  1. On the Search page, enter the following new search query:

    _sourceCategory="Apache/<wbr/>Access" and GET
    | parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer
    | where status_code=404
    | timeslice 10m
    | count by _timeslice, status_code
    | where _count > 8

    Notice the last line. We are trying to only identify those 10-minute timeslices that have 8 or more 404 status code responses.
  2. Select a timerange of 60 minutes, and click Start
    QS scheduled search.png
  3. Under the search query box, click Save As.
  4. The Save Search As dialog displays.
  5. For Search name, enter 8 or More 404s.
  6. Click Schedule this search.
  7. The Schedule this search dialog opens.
    1. For Run Frequency, select Daily from the menu, and select a time different from the one that is automatically chosen, if you like.
    2. For Time range for scheduled search, select the Last 24 Hours, to get a daily alert.
    3. Select an Alert condition. For this one, we’ll choose Send notification only if the condition below is satisfied, and configure
      Number of results Equal to = 0.
    4. For Alert Type, select Email. (You can also select Script Action, if you’d like to run a script at this time.)
    5. Under Recipients, enter your email.
    6. Click Save to schedule the search to run, or for this tutorial, just click Cancel.

Now let’s go back and explore the Library, and learn about Sumo Logic Apps.