Skip to main content
Sumo Logic

Create a Real Time Alert

Real Time Alerts are scheduled searches that run nearly continuously. That means that you're informed in real time when error conditions exist.

When an alert condition is satisfied, Sumo Logic sends an email (or triggers a script action). Sumo Logic examines ingested data in a rolling window using the Time Range you define. Any time a new result is found, another email is sent. There is a maximum number of 120 emails sent per day.

Real Time Alerts are not duplicated, which means that if a specific raw log message has triggered an alert once already, that same log message will not trigger an alert a second time.

For example, if Message X caused an alert to be sent at Time T, and Sumo Logic detects Message X again at Time T+1, Sumo Logic does not send a second alert at Time T+1. But if Sumo Logic detects Message Y at Time T+1, a new alert is sent, because the root cause is different.

Limitations

Time Range Limitations

  • The time range of a Real Time Alert must be between 5 and 15 minutes. 

Operator Limitations

Some queries cannot be used in Real Time Alert searches. Other operators can be used in Real Time search, but in the search, they must be included after the first "group-by" phrase:

Not supported for Real Time Alerts Must be added after a "group by" phrase
  • Count_frequent
  • Details
  • First
  • Last
  • Join
  • Parse using
  • Save
  • Sessionize
  • Summarize
  • Trace
  • Transactionize
  • Accum
  • Diff
  • Smooth
  • Sort
  • Top
  • Total

Configure a Real Time Alert

To set up a Real Time alert:

  1. Save a search
  2. Click Schedule this search
  3. Run Frequency. Select Real Time.
  4. For all other configuration options, see Schedule a Search
  5. Click Save