For Scheduled View query requirements, see Scheduled Views Best Practices and Examples.
- In Sumo Logic, go to Manage Data > Logs > Scheduled Views.
- Click +.
- In the Create a View dialog box, enter the following:
- Scheduled View. Type a name that you'll use to search the data in a query. It's important to use a name that's descriptive and easy to remember. Names can contain alphanumeric characters; underscores( _ ) are the only special characters allowed. View names can only have (A-Z, a-z, 0-9), $, and _ after the first letter.
- Query. Type the full query that encompasses the data you'd like indexed in the view. Parse operators and most search operators are supported in views.
- Search Mode. Set to Auto Parse Mode for Dynamic Parsing of JSON data. Manual Mode is the standard search behavior.
- Start Date. Click the date that you'd like to use as the start time of the index. All data from that point forward will be indexed in the scheduled view. The oldest selectable date represents the end of the retention period of your Sumo Logic account.
- Retention Period. Either enter a retention period for the data in the index, in days, or click Apply the retention period of Default Continuous Partition. For more information, see Manage Indexes with Variable Retention.
- Data Forwarding. (Optional). Only raw log data can be forwarded from a Scheduled View. Aggregated data cannot be forwarded. Choose Enable Data Forwarding to forward data from Sumo to Amazon S3.
- Click Create.
The view begins to index data as soon as you create it. Allow a few hours for the indexing to complete. If you've chosen to index a large amount of data and/or have chosen a long date range for the view, it could take a bit longer.
Once created, scheduled views are executed once per minute.