Create a Scheduled Search Real-Time Alert
The ability to create new real-time alert scheduled searches has been deprecated. While you can no longer create new real-time alerts, existing real-time alerts will continue to function as before. Learn more.
Real-time alerts are scheduled searches that run nearly continuously. This means that you're informed in real time when error conditions exist.
When an alert condition is satisfied, Sumo Logic triggers the selected alert type and examines ingested data in a rolling window using the time range you define. When a new result is found, you'll receive an email.
This document describes how to manage existing real-time alert scheduled searches. Although creating new real-time alerts is no longer supported, you can still view, edit, and delete existing ones.
When to use
Only use real-time schedules when you know your data is ingested within a few minutes of its creation. The receipt time should be within a few minutes of your log's message time. Learn about troubleshooting timestamp discrepancies here.
Real-time alerts are not duplicated, which means that if a specific raw log message has triggered an alert once already, that same log message will not trigger an alert a second time.
For example, if Message X caused an alert to be sent at Time T, and Sumo Logic detects Message X again at Time T+1, Sumo Logic does not send a second alert at Time T+1. But if Sumo Logic detects Message Y at Time T+1, a new alert is sent, because the root cause is different.
If the time zone of messages is set incorrectly, those logs won't be picked up by real-time alerts.
Limitations
- The time range of a real-time alerts must be between 5 and 15 minutes.
- Searching by receipt time is not supported.
- If your search query result is a subset of your previous run's result, a real-time alert will not trigger. It will trigger only when there are new results compared to the previous run.
- A maximum of 120 emails are sent per day from real-time alerts.
- Aggregate real-time scheduled searches evaluate the first 1,000 results per search. For example, if the scheduled search is supposed to return more than 1,000 results, reduce the scope of the search.
- Non-aggregate real-time scheduled searches evaluate the first 100 results per search. For example, if the scheduled search is supposed to return more than 100 results, either convert it to aggregate scheduled search or reduce the scope of the search.
- The
_dataTiersearch modifier is not supported in real-time alert searches.
Operator limitations
- Some queries cannot be used in real-time alerts searches. Other operators can be used in real-time search, but in the search, they must be included after the first "group-by" phrase:
| Not supported for real-time alerts | Must be added after a "group by" phrase |
|---|---|
|
|
- Real-time queries using Time Compare need to have at least three timeslices within its time range. For example, if the time range is 10 minutes, your timeslices need to be no longer than 3 minutes so that there are at least three of them.
Viewing existing real-time alerts
- Navigate to the Alerts section in your Sumo Logic dashboard.
- Use the search functionality to locate existing real-time alerts.
Editing existing real-time alerts
- Click on the real-time alert you wish to edit.
- Make necessary changes to the alert parameters (such as conditions or notification settings).
- Save your changes to update the alert.
Deleting existing real-time alerts
- Select the real-time alert you want to delete.
- Click the Delete button and confirm the deletion.
Alternatives to real-time alerts
Since the creation of new real-time alerts is deprecated, we recommend using monitors to achieve similar functionality.