Scheduled searches are standard saved searches that are executed on a schedule you set. Once configured, scheduled searches run continuously, making them a great tool for continuously monitoring your stack. For instructions, see Schedule a Search. See How to Prevent your Scheduled Search from Timing Out for information on preventing timeouts in scheduled searches.
Scheduled Search Alert Types
When you create a scheduled search, you can configure several different alert types including email, Script Action, ServiceNow Connection, Webhook, Save to Index, and Real Time Alerts.
You can create a scheduled search to alert you with an email when a set of conditions are satisfied.
For instructions, see Create an Email Alert.
A Script Action is a Source type that receives data uploads triggered by a scheduled search. The script you create defines how data is consumed; for example, you could fire SNMP traps based on the result of the search.
After setting up a Script Action, create a scheduled search. Each time the search query executes, the Collector runs the script configured in the Script Action.
For instructions, see Script Action.
Existing customers of both ServiceNow and Sumo Logic can now take advantage of the integration between the services. With this integration, search results from Sumo Logic are uploaded to your organization's ServiceNow account, allowing your organization to investigate issues across your deployment.
The main way data is uploaded to ServiceNow is through the use of scheduled searches. After saving a search, results are available in ServiceNow. Additionally, you can launch ad-hoc ServiceNow investigations using search results in Sumo Logic.
For instructions, see ServiceNow.
Webhooks connections allow you to send Sumo Logic alerts to third-party applications that accept incoming webhooks. For example, once you set up a Webhook connection in Sumo Logic, and create a scheduled search, then you can send an alert from that scheduled search as a post to a Slack channel, or integrate with third-party systems.
For instructions, see Scheduled Searches for Webhook Connections.
Save to Index
When you create a Scheduled Search, you can save the results to an Index. This way, your data can be searched at a later time using _index=index_name with increased search performance.
For instructions, see Save to Index.
Real Time Alerts
Real Time Alerts are scheduled searches that run nearly continuously. That means that you're informed in real time when error conditions exist.
When an alert condition is satisfied, Sumo Logic sends an email (or triggers a script action). Sumo Logic examines ingested data in a rolling window using the Time Range you define. Any time a new result is found, another email is sent.