Skip to main content
Sumo Logic

Create an Email Alert

To create a Scheduled Search Email Alert:

  1. Save a search
  2. To set a schedule for this search, or to set the search to run periodically with an optional alert, click Schedule this search
    1. Run Frequency. Select the frequency you would like your search to run and the time it should start. 
      • Never. Choose this option to temporarily turn off a scheduled search.
      • Real Time. Sumo Logic Trial, Professional, and Enterprise customers can use this option to set up a Real Time Alert.
      • Every 15 minutes. The search will run every 15 minutes at :00, :15, :30, :45.
      • Hourly. The search will run every hour at :00.
      • Every 2, 4, 6, 8, or 12 Hours. The search will run for the first time at the top of the hour you choose.
      • Daily. You may also select that your search runs every Day, every Weekday (Mon-Fri) or Weekend (Sat-Sun) and the time. A Daily search will cover exactly 24 hours of activity. You can change the schedule whenever you'd like. (Be aware that a scheduled search will run according to the time zone set on your computer at the time you configure the search. For example, if you are in San Francisco and set a search to run at 7:00 AM, it will run at 7:00 AM PST. If you then fly to New York, and your computer resets to EST, when you schedule a new search at 7:00 AM, it will run at 7:00 AM EST. These two searches will run at different times.)
      • Weekly. The search will run every week. You may also select the day of the week that it runs and the time. 
      • Custom Cron. Enter a custom CRON expression. For details, see Cron Examples and Reference
      • For users in timezones that are +/- 30 minutes, the minute is based on UTC. So for customers in the IST timezone, there will be a 30-minute offset. So instead of starting at :00, it will be :30.
    2. Time range for scheduled search. Select the Last 24 Hours, to get a daily alert. Otherwise, select the time range you want the scheduled search to be run on. Alternately type a time range; for example, -15m to run the search against data generated in the past 15 minutes.
    3. Timezone for scheduled search. Select the timezone you would like your scheduled search to use. If you don't make a selection, the scheduled search will use the timezone from your browser, which is the default selection.  
    4. Alert condition. Select Send Notification:
      • Every time a search is complete. Select this option if you want an email with search results every time the search is run (depending on the frequency, you could get an email every 15 minutes, every hour, or once a day).
      • If the following condition is met. Select this option if you'd like to set up a scheduled search that alerts you to specific events.
      • Number of results. Depending on the search, set a condition to receive an email by the number of results. If your saved search returns log messages, then the alert will use the number messages you specify; if your query produces aggregate results, the alert will use the number of aggregates (or groups).
        • Equal to. Choose if there is an exact number of records in a search result at which you want to be notified.
        • Greater than. Choose if you want to be notified only if the search results include greater than that number of messages or groups you set in the text box.
        • Greater than or equal to. Choose if you want to be notified only if the search results include greater than or equal to that number of messages or groups you set in the text box.
        • Fewer than. Choose if you want to be notified only if the search results include fewer than that number of messages or groups you set in the text box.
        • Fewer than or equal to. Choose if you want to be notified only if the search results include fewer than or equal to that number of messages or groups you set in the text box.
    5. Alert Type. Select Email. For other alert types, see Scheduled Searches
    6. Send email on failure to search owner. This check box is activated by default. Deselect to deactivate. 
    7. Recipients. Enter the recipients of your scheduled search email. Separate multiple email addresses with commas.
    8. Email Subject. You can use variables to customize the subject of your email such as:
      • $AlertCondition. The condition that triggered this alert. 
      • $FireTime. The time that the search ran. 
      • $NumRawResults. The number of raw messages returned by the search. (There is a limit of 1,000 results.)
      • $SearchName. The name of the saved search. This is the default email subject. 
      • $TimeRange. The time range over which the search was run. 
    9. Include in email. Select the features you want to include in your email results:  
      • Search Query. 
      • Result Set.  
      • Histogram. 
      • Results as a CSV attachment. The maximum CSV file size allowed is 5MB or 1,000 results. 
  3. Click Save to add the search to the Library.