Part 6: Create an alert
Now that you know how to search through data and understand your data, we can create an alert. Alerts allow you to monitor trends in your data.
For the purposes of this tutorial, let's create an email alert. To do that we'll schedule the search we just created.
- Let's select our Visitor Locations Search tab
and click Save As.
- Let's keep the default settings, and click Schedule this Search.
- Next, select Every 15 minutes as the Run Frequency.
- You will see the options for alerts in the Save Item window.
- Set the following fields:
- Run Frequency. Every 15 minutes. The search will run every 15 minutes at :00, :15, :30, and :45
- Time range for scheduled search. Let's set this for Last 3 Hours.
- Timezone for scheduled search. This option is great when your source logs are in another timezone but for now, let's leave this at GMT-8:00.
- Send Notification. Select Every time a search is complete. You will get an email with search results every 15 minutes based on the selection you made in Run frequency.
- Alert Type. Select Email.
- Send email on failure to search owner. This option is selected by default, but let's unselect the option for this tutorial.
- Recipients. Put your own email address. Don't copy my email@example.com address.
- Email Subject. Lets use some variables to make the subject meaningful to you:
$SearchName $FireTime $NumRawResults
This will give you a subject line with the name of the saved search, the time that the search ran, and the number of raw messages returned by the search.
- Include in email. Choose Results as a CSV attachment to get a CSV file of the results to go with your alert. (The maximum CSV file size allowed is 5MB or 1,000 results. )
- Click Save.
Soon, you should see your first email alert:
And, also a CSV file named with the search name and timestamp: