Create scheduled searches

Use scheduled searches to run a static query on a defined schedule. When the query runs, Logs evaluates the result. If the result isn't empty, the associated action triggers and notifies the groups or individuals that the action specifies.

For example, you might want to report search results to stakeholders as an email on a weekly basis at a specific time with the top errors from the previous week. You create a scheduled search and assign an email action to trigger when the scheduled search runs.

Unlike alerts, scheduled searches don't trigger immediately when a query matches events. Scheduled searches only run on the interval defined in the schedule, which can be anywhere from one minute to a full year.

See Scheduled searches (opens in a new tab) in the LogScale documentation for more information about creating scheduled searches.

Prerequisites

Create an action in LogScale to initiate when a scheduled search triggers, such as notifying a PagerDuty group or sending a message to a Slack channel. You can create the scheduled search first, but then need to create an action and edit the scheduled search to assign an action to it.

If you need to access external LogScale configuration tasks, such as creating a scheduled search template or installing a LogScale package, click Repository settings in Logs to display the full LogScale product.

Create a scheduled search

To create a scheduled search in Logs:

1. In the navigation menu select Exploring > Logs Explorer.

2. Click Logs Automation to display the Logs alerting capabilities.

3. On the Logs Automation page, click Scheduled searches and then click New scheduled search.

4. In the New scheduled search pane, enter a name for your scheduled search.

   You can use an existing scheduled search template or import a scheduled search from a template rather than defining a new scheduled search.

5. In the Query section, enter a query for the scheduled search to match on.

6. Define your search schedule using a UNIX cron expression (opens in a new tab).

   Scheduled searches can't run more than once per hour, which limits the minutes field in the cron expression to values in the range [0-59]. For example, the following cron expression sets a schedule for the search to run every Monday at 8:00 AM:

   * 8 * * 1

   If you use H in the cron expression, the schedule uses a number in the range [0-59] for the minute when the search runs, and all consecutive searches run on the same minute.

   H * * * *

   For example, if the selected minute is 48, the scheduled search runs at 00:48, 01:48, 02:48, and onward.

7. Define the Coordinated Universal Time (UTC) offset for the scheduled search, such as UTC+01:00.

   For example, if you use 0 6 * * * as the cron expression and specify an offset of UTC+01:00, the scheduled search runs at 5:00 AM UTC.

8. Select an action to determine what happens when the scheduled search triggers.

9. Set the backfill limit for the number of missed searches to backfill, such as in the event of a shutdown. This limit determines how many missed searches run before scheduling any new searches.

10. Click Create scheduled search.