Scheduled Search
Create periodic searches on telemetry data and set alerts when patterns are found or missing.
Overview
Specify queries to watch for, if you should be alerted when the query is found or not found, number of occurences for the trigger, and the evaluation frequency. This can be value for scenarios like:
- Detecing error rates exceeding normal thresholds
- Identifying unusual patterns in user behavior
- Monitoring for missing scheduled jobs or backups
- Watching for repeated failed login attempts that could indicate brute force attacks
Via Control Plane
- Go to Scheduled Search in the Control Plane
- Click on “New Search”
- Define Search Query
- Select the telemetry type — Logs, or Traces (coming soon)
- Enter the query to search for — currently, only supports LogQL
- To verify the query before saving the rule, you can click on “View Logs/Traces”
- Define Alert Configuration
- Select “Results Found” or “No Results” as alert condition
- In case of “Results Found”, select the minimum threshold for number of occurences
- Select the evaluation frequency
- Select the alert destination, in case you no preconfigured channel exists, you can click on “Notification Channels” to create one (How to setup a Notification Channel?)
- Give the rule configuration a unique name
Via Logs Explorer
- Run a query in Logs Explorer, either in Builder or Editor mode
- Click on
⋮> “Save Query” in the top right - Select “Enable alerting via Scheduled Search”
- Follow step #4 onwards as in Via Control Plane
Troubleshooting
Please get in touch with us on Discord or Email if you have any questions.