Skip to main content
Sumo Logic

Create an Email Alert

To create a Scheduled Search Email Alert:

  1. First, create a scheduled search. See Schedule a Search. Then, follow the below steps to create an email alert.
  2. Alert condition. Select Send Notification:
    • Every time a search is complete. Select this option if you want an email with search results every time the search is run (depending on the frequency, you could get an email every 15 minutes, every hour, or once a day).
    • If the following condition is met. Select this option if you'd like to set up a scheduled search that alerts you to specific events.
    • Number of results. Depending on the search, set a condition to receive an email by the number of results. If your saved search returns log messages, then the alert will use the number messages you specify; if your query produces aggregate results, the alert will use the number of aggregates (or groups).
      • Equal to. Choose if there is an exact number of records in a search result at which you want to be notified.
      • Greater than. Choose if you want to be notified only if the search results include greater than that number of messages or groups you set in the text box.
      • Greater than or equal to. Choose if you want to be notified only if the search results include greater than or equal to that number of messages or groups you set in the text box.
      • Fewer than. Choose if you want to be notified only if the search results include fewer than that number of messages or groups you set in the text box.
      • Fewer than or equal to. Choose if you want to be notified only if the search results include fewer than or equal to that number of messages or groups you set in the text box.
  3. Alert Type. Select Email. For other alert types, see Scheduled Searches
  4. Send email on failure to search owner. This check box is activated by default. Deselect to deactivate. 
  5. Recipients. Enter the recipients of your scheduled search email. Separate multiple email addresses with commas.
  6. Email Subject. You can use variables to customize the subject of your email such as:
    • $AlertCondition. The condition that triggered this alert. 
    • $FireTime. The time that the search ran. 
    • $NumRawResults. The number of raw messages returned by the search. (There is a limit of 1,000 results.)
    • $SearchName. The name of the saved search. This is the default email subject. 
    • $TimeRange. The time range over which the search was run. 
  7. Include in email. Select the features you want to include in your email results:  
    • Search Query. 
    • Result Set.  
    • Histogram. 
    • Results as a CSV attachment. The maximum CSV file size allowed is 5MB or 1,000 results. 
  8. Click Save to add the search to the LibraryThe columns in an alert email are alphabetically ordered. To set the column order in the email alert, you can use the fields operator in your query.