Part 6: Create an alert
Now that you know how to search through data and understand your data, we can create an alert. Alerts allow you to monitor trends in your data.
For the purposes of this tutorial, let's create an email alert. To do that we'll schedule the search we just created.
- Let's select our Visitor Locations Search tab
and click Save As.
- Let's keep the default settings, and click Schedule this Search.
- Next, select Every 15 minutes as the Run Frequency.
- You will see the options for alerts in the Save Item window.
- Set the following fields:
- Run Frequency. Every 15 minutes. The search will run every 15 minutes at :00, :15, :30, and :45
- Time range for scheduled search. Let's set this for Last 3 Hours.
- Timezone for scheduled search. This option is great when your source logs are in another timezone but for now, let's leave this at GMT-8:00.
- Send Notification. Select Every time a search is complete. You will get an email with search results every 15 minutes based on the selection you made in Run frequency.
- Alert Type. Select Email.
- Send email on failure to search owner. This check box is activated by default, but let's uncheck that box for this tutorial.
- Recipients. Put your own email address. Don't copy my firstname.lastname@example.org address.
- Email Subject. Lets use some variables to make the subject meaningful to you:
$SearchName $FireTime $NumRawResults
This will give you a subject line with the name of the saved search, the time that the search ran, and the number of raw messages returned by the search.
- Include in email. Keep the default options of elect a CSV file of the results to go with your alert. Choose Results as a CSV attachment. (The maximum CSV file size allowed is 5MB or 1,000 results. )
- Click Save.
Soon, you should see your first email alert:
And, also a CSV file named with the search name and timestamp: