We would like to be able to use SumoLogic's to send one alert out for each individual occurrance of a particular pattern.
For example, if we see error ERR123 four times, then four alerts should be sent.
SumoLogic's Real Time Alerts is the closest that we've seen thus far, but it is not obvious how to split into separate alerts if the query returns multiple items.
Is it possible to send out alerts on a one-to-one basis in SumoLogic?
Thomas, The smallest time unit that Real Time Alerts (RTAs) can go to is 1 minute. If your ERR123 events are spaced out by more than one minute, then you are good to go with RTAs.
However, if you have multiple ERR123s within a minute, you might need to get creative. One option is to use the Script Action option in Scheduled Searches. In short, Script Action allows you to send the results of your query to your custom script. Your script can then loop through the result set and send a message for each one of the ERR123 events listed in the results.
Can you tell me a bit about your use case? I've heard the opposite request before: "I've already seen this alert, I know there's an issue; please don't alert me again." I'm interested to know why you are looking to be alerted each time.
By the way, for future reference/questions, here's a Community of Sumo Logic users.
Cheers,
Mario
