You can schedule a search at the same time you save it, or schedule it later from the Library. Here, let's create a new search, save it, and schedule it.
- On the Search page, enter the following new search query:
_sourceCategory="Apache/<wbr/>Access" and GET
| parse "\"\"GET * HTTP/1.1\"\" * * \"\"*\"\"" as url,status_code,size,referrer
| where status_code=404
| timeslice 10m
| count by _timeslice, status_code
| where _count > 8
Notice the last line. We are trying to only identify those 10-minute timeslices that have 8 or more 404 status code responses.
- Select a timerange of 60 minutes, and click Start.
- Under the search query box, click Save As.
- The Save Search As dialog displays.
- For Search name, enter 8 or More 404s.
- Click Schedule this search.
- The Schedule this search dialog opens.
- For Run Frequency, select Daily from the menu, and select a time different from the one that is automatically chosen, if you like.
- For Time range for scheduled search, select the Last 24 Hours, to get a daily alert.
- Select an Alert condition. For this one, we’ll choose Send notification only if the condition below is satisfied, and configure
Number of results Equal to = 0.
- For Alert Type, select Email. (You can also select Script Action, if you’d like to run a script at this time.)
- Under Recipients, enter your email.
- Click Save to schedule the search to run, or for this tutorial, just click Cancel.
Now let’s go back and explore the Library, and learn about Sumo Logic Apps.