Creating Saved Search Alerts (Scheduled Alerts)

This section describes how to schedule Saved Searches to run as Scheduled Alerts. For information on creating Real Time Alerts, see Creating Real-Time Alerts. For a description of the types of alerts, see Logger Alert Types.

You can schedule a Saved Search to run at any time. Before you schedule a Saved Search Alert, you must have created at least one Saved Search.

Note: Saved searches used in Alerts cannot contain aggregation operators such as chart or top. See Saving Queries, Creating Saved Searches and Saved Filters. for more information.

You can add a new Scheduled Search or Alert from the Configuration menu or directly from the search results page.

To set up a Scheduled Search Alert from the search results page (Analyze > Classic Search), see Creating Saved Search Alerts (Scheduled Alerts).
To set up a Scheduled Search from the search results page (Analyze > Classic Search), follow the instruction in Saving Queries, Creating Saved Searches and Saved Filters., set the Type to Scheduled Search and select the Schedule it option.
You can set up a Scheduled Search or Alert from the Analyze > Search page or Configuration > Search > Scheduled Searches/Alerts page. For further details, see Adding a Scheduled Search or Scheduled Alert.

To set up a Saved Search Alert from the search results page:

Run a search, as described in Searching for Events.

Click the Save icon () and enter the following settings.

Parameter	Description
Name	A name for the query you are saving.
Save as	To enable the Scheduling option, select Saved Search.
Schedule it	Click to schedule now or leave blank to schedule later.
Type	Select whether you want to schedule a Search or an Alert. Scheduled searches run on a predetermined schedule and export results to a pre-specified location. Scheduled alerts run a search on a predetermined schedule but only generate an alert if the specified number of events within the specified threshold is found. Select Scheduled Alert to create an Alert.

Click Save.

If you checked the “Schedule it” setting in the previous step, you are prompted to choose if you want to edit the schedule. If you click OK, the Edit Scheduled Search page is displayed, as shown in the next step. If you click Cancel, the search is saved but it is not scheduled to run.
The Edit Scheduled Search/Alert page enables you to define a schedule for the saved search job and alert options. Select the desired options, and click Save. For details about the parameters, see Alert Job Options.
After creating the Scheduled Alert, enable it as described in To enable or disable a Scheduled Search or Alert.