When you save a search, you can add a schedule to run it at a regularly scheduled time, and add alerts. For alert types, see Scheduled Searches.
To run the scheduled search using receipt time save the search with receipt time enabled.
Schedule a search
You can create a scheduled search at the time you create a search, or edit a saved search later to add a schedule.
- Click Schedule this search on the edit dialog for a search.
- Select a run frequency. When you make a selection, the additional settings are displayed.
Run Frequency. Determine how frequently your search should run and the time it should start.
- For users in timezones that are +/- 30 minutes, the minute is based on UTC. So for customers in the IST timezone, there will be a 30-minute offset. So instead of starting at :00, it will be :30.
- Custom Cron. Enter a custom CRON expression. The run frequency for a CRON expression must not be less than every 15 minutes. For details, see Cron Examples and Reference.
- Weekly. The search will run every week. You may also select the day of the week that it runs and the time.
- Daily. You may also select that your search runs every Day, every Weekday (Mon-Fri) or Weekend (Sat-Sun) and the time. A Daily search will cover exactly 24 hours of activity. You can change the schedule whenever you'd like. (Be aware that a scheduled search will run according to the time zone set on your computer at the time you configure the search. For example, if you are in San Francisco and set a search to run at 7:00 AM, it will run at 7:00 AM PST. If you then fly to New York, and your computer resets to EST, when you schedule a new search at 7:00 AM, it will run at 7:00 AM EST. These two searches will run at different times.)
- Every 2, 4, 6, 8, or 12 Hours. The search will run for the first time at the top of the hour you choose.
- Hourly. The search will run every hour.
- Every 15 minutes. The search will run every 15 minutes, but not exactly at :00, :15, :30, and :45.
- Real Time. Use this option to set up a Real Time Alert. Receipt time is not supported with a Real Time frequency.
- Never. Choose this option to temporarily turn off a scheduled search.
- Time range for scheduled search. Indicates the time range your query will use to execute, which impacts the results generated by the query. Select the Last 24 Hours, to get a daily alert. Otherwise, select the time range you want the scheduled search to be run on. Absolute time range; for example, 06/10/2020 1:00:00 PM to 06/10/2020 2:00:00 PM is not allowed in Scheduled Searches and presents the message like this:
Invalid query. Static time range is not allowed for scheduled searches.
Alternately type a time range; for example, -15m to run the search against data generated in the past 15 minutes. A time range outside the maximum allowed range for a given frequency is not allowed and presents the message like this:
Invalid query. Max allowed time range for 15 minutes frequency is 1 day
The maximum allowed time range for different scheduled search frequencies is as below:
|Frequency||Max Allowed Time Range|
|Real Time||15 minutes|
|15 min||1 Day|
|15 min -1 hour||7 Days|
|1 hour - 3 hours||15 Days|
|3 hour - 12 hours||30 Days|
|More than 12 hours||More than 30 days|
- Timezone for scheduled search. Select the time zone you would like your scheduled search to use. The schedule's time is based on this time zone. This time zone is not related to the time zone of your data. If you don't make a selection, the scheduled search will use the time zone from your browser, which is the default selection
- Send Notification. Select the condition for when you want an alert sent.
- Every time a search is complete. Select this option if you want an email with search results every time the search is run (depending on the frequency, you could get an email every 15 minutes, every hour, or once a day).
- If the following condition is met. Select this option if you'd like to set up a scheduled search that alerts you to specific events.
- Number of results. Depending on the search, set a condition to receive an email by the number of results. If your saved search returns log messages, then the alert will use the number messages you specify. If your query produces aggregate results, the alert will use the number of rows or aggregates (or groups) and will not trigger on the number of raw results. For more control of your query, you can build in a threshold (for example
| where _count > 30) into the Search itself and set the alerts condition here to Greater than 0. That way the query will generate results if the expected condition is met.
- Equal to. Choose if there is an exact number of records in a search result at which you want to be notified.
- Greater than. Choose if you want to be notified only if the search results include greater than that number of messages or groups you set in the text box.
- Greater than or equal to. Choose if you want to be notified only if the search results include greater than or equal to that number of messages or groups you set in the text box.
- Fewer than. Choose if you want to be notified only if the search results include fewer than that number of messages or groups you set in the text box.
- Fewer than or equal to. Choose if you want to be notified only if the search results include fewer than or equal to that number of messages or groups you set in the text box.
- Alert Type. For details on the available alert types see Scheduled Searches.