Creating alerts from searches
Any saved search can also be run on a schedule. One use for scheduled searches is firing alerts. To get started, choose Alert… from the Create menu.
A wizard interface is presented, covering three steps.
Schedule
The Schedule step provides the following options:
Trigger in real-time whenever a result matches: This option will leave a real-time search running all the time and will immediately fire an alert whenever an event is seen.
This option will create an alert every time an event that matches your search occurs. There is an important throttling option in the next step.
Run on a schedule once every…: New options now appear below the menu.
Schedule: You can choose to either run your search on a set schedule or run your alert according to a cron schedule. Keep in mind that the time frame selected in the time picker will be used each time the query runs—you probably don't want to run a query looking at 24 hours of data every minute.
Trigger if lets you choose when...
