Skip to main content

Scheduled Searches

icon

Scheduled searches are standard saved searches that are executed on a schedule you set. Once configured, scheduled searches run continuously, making them a great tool for continuously monitoring your stack. For instructions, see Schedule a Search.

Scheduled Search Alert Types

When you create a scheduled search, you can configure several different alert types including email, Script Action, ServiceNow Connection, Webhook, Save to Index, Real Time Alerts, and Cloud SIEM Enterprise (CSE) Signals.

Email

You can create a scheduled search to alert you with an email when a set of conditions are satisfied. A maximum of 120 emails are sent per day per scheduled search. For instructions, see Create an Email Alert.

Script Action

A Script Action is a Source type that receives data uploads triggered by a scheduled search. The script you create defines how data is consumed; for example, you could fire SNMP traps based on the result of the search. After setting up a Script Action, create a scheduled search. Each time the search query executes, the Collector runs the script configured in the Script Action. For instructions, see Script Action.

note

You need the View Collectors role capability to alert with a Script Action.

ServiceNow Connection

Existing customers of both ServiceNow and Sumo Logic can now take advantage of the integration between the services. With this integration, search results from Sumo Logic are uploaded to your organization's ServiceNow account, allowing your organization to investigate issues across your deployment.

The main way data is uploaded to ServiceNow is through the use of scheduled searches. After saving a search, results are available in ServiceNow. Additionally, you can launch ad-hoc ServiceNow investigations using search results in Sumo Logic. For instructions, see ServiceNow.

Webhook

Webhook connections allow you to send Sumo Logic alerts to third-party applications that accept incoming webhooks. For example, once you set up a Webhook connection in Sumo Logic, and create a scheduled search, then you can send an alert from that scheduled search as a post to a Slack channel, or integrate with third-party systems. For instructions, see Scheduled Searches for Webhook Connections.

Save to Index

When you create a Scheduled Search, you can save the results to an Index. This way, your data can be searched at a later time using _index=index_name with increased search performance. For instructions, see Save to Index.

Save to Lookup

When you create a Scheduled Search, you can save the results to a Lookup Table. This way, you can view the results of the scheduled search from the Library by viewing the Lookup Table the search results were saved to. You can use the lookup operator to enrich other log data with the information from the Lookup Table. For instructions, see Save to Lookup.

Real Time Alerts

Real Time Alerts are scheduled searches that run nearly continuously. That means that you're informed in real time when error conditions exist.

When an alert condition is satisfied, Sumo Logic sends an email (or triggers a script action). Sumo Logic examines ingested data in a rolling window using the Time Range you define. Any time a new result is found, another email is sent. For instructions, see Create a Alert.

CSE Signal

You can trigger the creation of a CSE Signal with a scheduled search. Signals are otherwise generated when the conditions of a CSE rule are satisfied by a Record. Signals are correlated with other Signals to create a CSE Insight. For instructions, see Generate CSE Signals With a Scheduled Search.

Guides

Important considerations:

note

Fields are returned in lowercase in scheduled search results.

Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.