Automating searches and responses; creating alerts and notifications for events, comparing alerts and scheduled searches, alerts and scheduled searches compare, alerts and scheduled search scenarios

LogScale allows you to automate query running and get notified when certain events occur. This can be done thanks to the following functionalities.

  • Alerts

    You can create alerts that execute queries and trigger Actions when a matching event is identified in the query during ingest. Alerts are live queries; these are queries that are continually run and that trigger an action when the query returns results.

    Alerts are triggered as data is being ingested into LogScale, and trigger the action response as soon as one or more events matches the query on the incoming data. Using alerts allows for notification when a query matches the configured search. This can be used, for example, to notify of excessive network connections, or when a specific error is identified in an ingested log file, based on the query that is executed by the alert.

    Alerts can be configured to execute a trigger on a matching event, and throttle the action trigger if the multiple events match within a specified time window. See Setting Alert Throttle Period for more information.

    Alerts should not be used for processing historical information, as the queries are executed on incoming data. For regular querying of existing or historical data, use Scheduled Searches.

    For more information on alerts, including how to create, manage, and monitor alert execution, see Alerts.

  • Scheduled Searches

    Scheduled Searches are queries on a regular interval on previously ingested and stored data. When the scheduled search returns results, one or more Actions are triggered. Unlike Alerts, scheduled searches are only run according to the configured schedule which can be set on an interval from 1 minute to years.

    Scheduled searches should not be used for queries where an instant action or notification is required. The live queries performed by Alerts are more efficient for regular notification.

    Scheduled searches are ideal for regularly reporting on historical data for auditing or monitoring purposes.

    See Scheduled Searches for more information.

  • Actions

    When an alert or scheduled search is triggered, it initiates an action, which could include sending someone a message about a problem on the servers, logging it to another system, or performing some other action. See Actions for more information.

When choosing whether to use a Scheduled Search or an Alert, consider where the data is coming from and how quickly you want to perform your query. Some examples of different query types and which automation to use are given in table below:

Table: Comparing Alerts and Scheduled Searches

Scenario Alert Scheduled Search
Instant notification of matching events Yes No
Active Searches while ingesting events Yes No
Historical Events No Yes