Select Search > Scheduled Searches > Schedule.
You must have the Scheduled Search permission to schedule runs of a search.
A scheduled search is a search that runs on a regular interval. Whereas a saved search is saved, but does not run automatically.
Each time a scheduled search runs, search adds the results to the list of Completed Searches runs.
Before creating a Scheduled Search, you must create or save at least one search. For every scheduled search, enter the query, fieldset, or time range for the search events or leave the defined values for the saved search. Just as for a saved search, the following considerations apply to a scheduled search:
The search is case sensitive.
The query input determines the search type (full text, natural language, or contextual).
As you specify the search criteria, the system suggests search items and operators based on a schema data dictionary. To view the predefined queries, type # in the query field.
To search for a field without data, enter [field_name] = Null.
The system treats a comma (,) between search items and values as an OR operator.
To create a scheduled search:
(Conditional) To schedule a search that you are currently viewing, select Schedule.
(Conditional) To schedule a search without currently viewing one, complete the following steps:
Select Search > Scheduled Searches.
Select +.
Specify a Name that is 5 to 255 character long.
To enable the scheduled search, select the Status box.
You can enable and disable scheduled searches at any time in the Scheduled tab.
To indicate how frequently you want the search to run, specify one of the following options:
Hourly
Daily
Weekly
Monthly
Depending on the frequency that you specified in Step 5, configure the settings for the dates and times of each run.
NOTE:For Starting from, if you select end after, the maximum number of instances is 1000.
(Conditional) To schedule an existing search, select one from the pull-down menu under Search Query and Metadata.
(Conditional) To create a query, specify the query parameters, fieldset, and time range.
For example:
Source Address = 192.10.11.12 and Destination Address less than 192.10.11.12
Under Result Retention and Limitations, configure how long you want to keep each completed run of the scheduled search.
NOTES:
Your choice of values for each setting might be confined to limits set by your product administrator.
For Delete results after, you can specify a value that overrides how you configured Search Expires In for your search preferences. For example, your prefer that searches expire within five days. But you want the results for this scheduled search to expire after 10 days.
(Conditional) If you have the Never Expire Search Results permission, you can choose Never Expire to retain the search results indefinitely.
If you select Keep only the most recent run, then, when a run completes successfully, Search deletes the results of the previous run.
For Retrieve up to, specify the number of results you want to receive.
Select Schedule.
The Scheduled Searches tab displays information for created scheduled searches. You can perform the following actions:
To view specific scheduled search details, in the Name column, locate the search name and select it. Click Edit at the top of the table.
To change the sort order, click the column heading to toggle between ascending and descending order.
To rearrange the order of the columns, drag each column header to a new position.
To find a keyword, click the field next to the Magnifying Glass icon (Search Keyword), enter a value, and the system displays your results automatically.
To hide and display a column, in the far right-corner of the window, click the Wrench icon (Manage Columns), and then select and clear the column name checkboxes.
You can filter scheduled searches based on Status, Timestamp, and Fieldset. To filter the data for more specific results, in the far-right corner of the window, click the Funnel icon (Filters), and then select and clear the filter options.
After creating a scheduled search, you can clone it at any time.
Select Search > Scheduled Searches.
Select the scheduled searches that you want to clone.
Click the clone icon.
After creating a scheduled search, you can edit it at any time. After you modify a schedule, the first completed run will have a flag to indicate that the modification occurred.
Select Search > Scheduled Searches.
Select the scheduled searches that you want to edit.
Click the edit icon.
If you change the Pattern values, please be aware that Search counts any and all completed runs before you made the change. For example, your scheduled search uses the repeat forever option and Search has performed three runs. If you update the ending option to end after eight occurrences, Search counts the three previous completed runs; therefore, you would only have five occurrences of the eight occurrences left to run. Should you want eight occurrences, you would need to change your ending option to 11 occurrences.
You can delete a scheduled search at any time. After selecting Delete, the system prompts you to keep or delete the completed runs associated with the scheduled search.
NOTE:To cancel the deletion process, select the X that closes the dialog box, instead of selecting Yes or No.
After creating a scheduled search, you can enable and disable it at any time.
Select Search > Scheduled Searches.
Select the searches that you want to enable or disable.
Select Enable or Disable.
The Status column, if selected in the Manage Columns option, displays the status of either ✓Enabled (green) or X Disabled (red).