Skip to main content
Sumo Logic

Set Up Searches for ServiceNow Integration

Scheduled searches are saved searches that run automatically at specified intervals. When a scheduled search is set to upload search results to ServiceNow, you can combine services for round-trip investigations.

You can create a brand new search, or you can base a search on an existing saved or scheduled search. If you'd like to use an existing search, you'll need to save the query as a new search to not override the search's current schedule.

Before you can set up searches for ServiceNow, you'll need to configure a ServiceNow Connection.

To set up a search for ServiceNow integration

  1. Do one of the following:
    • Click the Open link below the Search query field. Select the search you want to schedule, and then click Save As.
    • Click Save As under the query currently displayed in the search box.
      Saved search wervicenow
  2. In the Save Search As dialog box, enter a name for the search and an optional description.
  3. Choose an option from the Time Range menu.
  4. Click Schedule this search
  5. Choose an option from the Run Frequency menu:
    • Never. Choose this option to temporarily turn off a scheduled search.
    • Real Time. Enterprise and paid trial customers can use this option to set up Real Time Alerts.
    • Every 15 Minutes. The search will run for the first time when you save the schedule, and then every 15 minutes after that.
    • Hourly. The search will run for the first time at the top of the next hour after you save the schedule, and then every hour after that.
    • Every 2, 4, 6, 8, or 12 Hours. The search will run for the first time at the top of the hour you choose.
    • Daily. Choose the time you'd like to run the search every day. A Daily search will cover exactly 24 hours of activity. You can change the schedule whenever you'd like.
  6. Choose a Time Range option to set the default range the scheduled search is run against. Alternately type a time range; for example, -15m to run the search against data generated in the past 15 minutes.
  7. For Alert Condition, choose one of the following:
    • Notify me every time upon search completion if you want an email with search results every time the search is run (depending on the frequency, you could get an email every 15 minutes, every hour, or once a day).
    • Notify me only if the condition below is satisfied if you'd like to set up a scheduled search that alerts you to specific events, and then set any of the following conditions before typing a value in the text box:
  8. Choose an option for Number of Results. Depending on the search, set a condition to receive an email by the number of results. If your saved search returns log messages, then the alert will use the number messages you specify; if your query produces aggregate results, the alert will use the number of aggregates (or groups).
    • Equal to. Choose if there is an exact number of records in a search result at which you want to be notified.
    • Greater than. Choose if you want to be notified only if the search results include greater than that number of messages or groups you set in the text box.
  9. Send email on failure to search owner is activated by default. If you do not want an email if the schedule search fails, deactivate this check box.
  10. For Alert Type, choose ServiceNow Connection to upload search results to ServiceNow.
  11. Next, you'll set ServiceNow-specific options. Select a Connection, choose an option for Severity, then type information for TypeNode, and Resource (optional).
  12. Click Save.