From 9cc1b45a57fea872853c4c9a0007d4d3306331c4 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:12:52 +0530 Subject: [PATCH 1/5] Revise auto refresh and public dashboard restrictions Updated section headers and clarified restrictions on auto refresh and public dashboards. Added details on unsupported operators and modifiers. --- .../restricted-operators-dashboards.md | 48 ++++++++++--------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/docs/dashboards/restricted-operators-dashboards.md b/docs/dashboards/restricted-operators-dashboards.md index b2018bdec5..a8e39f07a6 100644 --- a/docs/dashboards/restricted-operators-dashboards.md +++ b/docs/dashboards/restricted-operators-dashboards.md @@ -18,32 +18,34 @@ The following operators cannot be used with dashboards: * `Sample` (internal-use operator) * [`Save`](/docs/search/search-query-language/search-operators/save) -## Auto refresh restrictions +## Auto refresh and public dashboard restrictions -The following operators cannot be used in Auto refresh: +* The following operators cannot be used: + * `Compare With` can be used when your query's aggregate operation is grouped by a [timeslice](/docs/search/search-query-language/search-operators/timeslice) + * [`Cat`](/docs/search/search-query-language/search-operators/cat/) + * `Details` + * [`First`, `Last`](/docs/search/search-query-language/group-aggregate-operators/first-last/) - instead use the **withtime** option, see [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent). + * [`Join`](/docs/search/search-query-language/search-operators/join/) + * [`LogReduce`](/docs/search/behavior-insights/logreduce/logreduce-operator/) + * [`LogCompare`](/docs/search/behavior-insights/logcompare/) + * [`Now`](/docs/search/search-query-language/search-operators/now) + * [`Outlier`](/docs/search/search-query-language/search-operators/outlier/) will omit the first N (window size) data points in results because those data points are used in the training phase. + * `Parse Using` + * [`queryStartTime()`](/docs/search/search-query-language/search-operators/querystarttime) + * [`queryEndTime()`](/docs/search/search-query-language/search-operators/queryendtime) + * [`Save`](/docs/search/search-query-language/search-operators/save/) + * `Sessionize` + * [`Subquery`](/docs/search/subqueries) + * `Threat Intel` + * [`Trace`](/docs/search/search-query-language/search-operators/trace) + * [`Timeslice`](/docs/search/search-query-language/search-operators/timeslice) greater than 1 day + * [`Transactionize`](/docs/search/search-query-language/transaction-analytics/transactionize-operator/) -* `Compare With` can be used when your query's aggregate operation is grouped by a [timeslice](/docs/search/search-query-language/search-operators/timeslice) -* `Details` -* [`First`, `Last`](/docs/search/search-query-language/group-aggregate-operators/first-last/) - instead use the **withtime** option, see [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent). -* [`Join`](/docs/search/search-query-language/search-operators/join/) -* [`LogReduce`](/docs/search/behavior-insights/logreduce/logreduce-operator/) -* [`LogCompare`](/docs/search/behavior-insights/logcompare/) -* [`Now`](/docs/search/search-query-language/search-operators/now) -* [`Outlier`](/docs/search/search-query-language/search-operators/outlier/) will omit the first N (window size) data points in results because those data points are used in the training phase. -* `Parse Using` -* [`queryStartTime()`](/docs/search/search-query-language/search-operators/querystarttime) -* [`queryEndTime()`](/docs/search/search-query-language/search-operators/queryendtime) -* [`Save`](/docs/search/search-query-language/search-operators/save/) -* `Sessionize` -* [`Subquery`](/docs/search/subqueries) -* `Threat Intel` -* [`Trace`](/docs/search/search-query-language/search-operators/trace) -* [`Timeslice`](/docs/search/search-query-language/search-operators/timeslice) greater than 1 day -* [`Transactionize`](/docs/search/search-query-language/transaction-analytics/transactionize-operator/) - -The following search modifier cannot be used in Auto refresh. +* The following search modifier cannot be used. + * `_dataTier` -* `_dataTier` +* [Receipt time searches](/docs/search/get-started-with-search/build-search/use-receipt-time) are not supported. +* Only [relative time ranges](docs/search/get-started-with-search/search-basics/time-range-expressions/#relative-time-range-expressions) are supported. [Absolute time ranges](/docs/search/get-started-with-search/search-basics/time-range-expressions/#absolute-time-range-expressions) with custom end times are not supported. ## Include only after the first group-by phrase From 59c21dc12684e0025f09ba6b56fff6a4df0088a5 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:28:17 +0530 Subject: [PATCH 2/5] Apply suggestion from @JV0812 --- docs/dashboards/restricted-operators-dashboards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/dashboards/restricted-operators-dashboards.md b/docs/dashboards/restricted-operators-dashboards.md index a8e39f07a6..41b5bb1bf1 100644 --- a/docs/dashboards/restricted-operators-dashboards.md +++ b/docs/dashboards/restricted-operators-dashboards.md @@ -45,7 +45,7 @@ The following operators cannot be used with dashboards: * `_dataTier` * [Receipt time searches](/docs/search/get-started-with-search/build-search/use-receipt-time) are not supported. -* Only [relative time ranges](docs/search/get-started-with-search/search-basics/time-range-expressions/#relative-time-range-expressions) are supported. [Absolute time ranges](/docs/search/get-started-with-search/search-basics/time-range-expressions/#absolute-time-range-expressions) with custom end times are not supported. +* Only [relative time ranges](/docs/search/get-started-with-search/search-basics/time-range-expressions/#relative-time-range-expressions) are supported. [Absolute time ranges](/docs/search/get-started-with-search/search-basics/time-range-expressions/#absolute-time-range-expressions) with custom end times are not supported. ## Include only after the first group-by phrase From e727522323031727a66bc8cec44dfbfbbc0b85bf Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:02:43 +0530 Subject: [PATCH 3/5] Apply suggestion from @jpipkin1 Co-authored-by: John Pipkin (Sumo Logic) --- docs/dashboards/restricted-operators-dashboards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/dashboards/restricted-operators-dashboards.md b/docs/dashboards/restricted-operators-dashboards.md index 41b5bb1bf1..816b4088d1 100644 --- a/docs/dashboards/restricted-operators-dashboards.md +++ b/docs/dashboards/restricted-operators-dashboards.md @@ -21,7 +21,7 @@ The following operators cannot be used with dashboards: ## Auto refresh and public dashboard restrictions * The following operators cannot be used: - * `Compare With` can be used when your query's aggregate operation is grouped by a [timeslice](/docs/search/search-query-language/search-operators/timeslice) + * `Compare With` can be used when your query's aggregate operation is grouped by a [timeslice](/docs/search/search-query-language/search-operators/timeslice). * [`Cat`](/docs/search/search-query-language/search-operators/cat/) * `Details` * [`First`, `Last`](/docs/search/search-query-language/group-aggregate-operators/first-last/) - instead use the **withtime** option, see [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent). From c762b53908d0d6b964f81d279a3a0536818aff67 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:02:51 +0530 Subject: [PATCH 4/5] Apply suggestion from @jpipkin1 Co-authored-by: John Pipkin (Sumo Logic) --- docs/dashboards/restricted-operators-dashboards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/dashboards/restricted-operators-dashboards.md b/docs/dashboards/restricted-operators-dashboards.md index 816b4088d1..56d11e1ced 100644 --- a/docs/dashboards/restricted-operators-dashboards.md +++ b/docs/dashboards/restricted-operators-dashboards.md @@ -24,7 +24,7 @@ The following operators cannot be used with dashboards: * `Compare With` can be used when your query's aggregate operation is grouped by a [timeslice](/docs/search/search-query-language/search-operators/timeslice). * [`Cat`](/docs/search/search-query-language/search-operators/cat/) * `Details` - * [`First`, `Last`](/docs/search/search-query-language/group-aggregate-operators/first-last/) - instead use the **withtime** option, see [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent). + * [`First`, `Last`](/docs/search/search-query-language/group-aggregate-operators/first-last/). Instead use the `withtime` option. See [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent). * [`Join`](/docs/search/search-query-language/search-operators/join/) * [`LogReduce`](/docs/search/behavior-insights/logreduce/logreduce-operator/) * [`LogCompare`](/docs/search/behavior-insights/logcompare/) From 6230332cd489c629e052169d634b551f2ddfb7a7 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:02:58 +0530 Subject: [PATCH 5/5] Apply suggestion from @jpipkin1 Co-authored-by: John Pipkin (Sumo Logic) --- docs/dashboards/restricted-operators-dashboards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/dashboards/restricted-operators-dashboards.md b/docs/dashboards/restricted-operators-dashboards.md index 56d11e1ced..237881f448 100644 --- a/docs/dashboards/restricted-operators-dashboards.md +++ b/docs/dashboards/restricted-operators-dashboards.md @@ -38,7 +38,7 @@ The following operators cannot be used with dashboards: * [`Subquery`](/docs/search/subqueries) * `Threat Intel` * [`Trace`](/docs/search/search-query-language/search-operators/trace) - * [`Timeslice`](/docs/search/search-query-language/search-operators/timeslice) greater than 1 day + * [`Timeslice`](/docs/search/search-query-language/search-operators/timeslice) greater than 1 day. * [`Transactionize`](/docs/search/search-query-language/transaction-analytics/transactionize-operator/) * The following search modifier cannot be used.