Create scheduled alerts

Create a scheduled alert to search for events on a regular schedule. You can configure scheduling, trigger conditions, and throttling to customize the alert.

To compare scheduled and real-time alerts, see Alert types. To review scenarios for alert types and triggering, see Alert type and triggering scenarios.

Using cron expressions

You can use a cron expression to customize alert scheduling. See Use cron expressions for scheduling to learn more.

Create a scheduled alert

Prerequisites

• Use cron expressions for scheduling
• Alert scheduling tips
• Configure alert trigger conditions
• Monitor triggered alerts

Steps

1. Navigate to the Search page in the Search and Reporting app.
2. Create a search.
3. Select Save As>Alert.
4. Enter a title and optional description.
5. Specify permissions.
6. Configure alert scheduling. There are two options for scheduling.

   Option	Next steps for this option
   Select one of the available scheduling options and set a time.	None.
   For further customization, select Run on Cron Schedule to use a time range and cron expression.	Enter the Earliest and Latest values for the search time range. These values override the original search time range. To avoid overlaps or gaps, the execution schedule should match the search time range. For example, to run a search every 20 minutes the search time range should also be 20 minutes (-20m). Enter a cron expression to schedule the search. See cron expression examples here: Use cron expressions for scheduling.

7. (Optional) Change the Expires setting. This setting controls the lifespan of triggered alert records, which appear on the Triggered Alerts page.
8. Configure trigger conditions.
9. (Optional) Configure a trigger throttling period.
10. Select one or more alert actions that should happen when the alert triggers.
11. Click Save.

Additional resources

• Review scheduled alert best practices in Alert scheduling tips.
• See also Alert examples.