Real-time sched search deprecation

kimsauce · kimsauce · commit deb61d44a345 · 2025-03-27T14:59:15.000-07:00
diff --git a/docs/alerts/difference-from-scheduled-searches.md b/docs/alerts/difference-from-scheduled-searches.md
@@ -16,7 +16,7 @@ Scheduled Searches address two primary use cases:
 
 ## Monitors
 
-Monitors are specifically designed for the first use case: alerting. They offer additional capabilities such as auto-resolution and support for multiple notification channels. Any Scheduled Searches created for alerting purposes can be moved to Monitors, including [real-time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert).
+Monitors are specifically designed for the first use case: alerting. They offer additional capabilities such as auto-resolution and support for multiple notification channels. Any Scheduled Searches created for alerting purposes can be moved to Monitors.
 
 ## Feature differences
 
diff --git a/docs/alerts/scheduled-searches/create-real-time-alert.md b/docs/alerts/scheduled-searches/create-real-time-alert.md
@@ -1,11 +1,11 @@
 ---
 id: create-real-time-alert
-title: Create a Scheduled Search Real-Time Alert
+title: Manage Real-Time Scheduled Search Alerts (Deprecated)
 description: Real-time alerts notify you of error conditions right when they occur.
 ---
 
 :::warning Solution Deprecated
-The ability to create new real-time alert scheduled searches has been deprecated. While you can no longer create new real-time alerts, existing real-time alerts will continue to function as before. [Learn more](/docs/alerts/scheduled-searches/deprecation).
+Real-Time Scheduled Searches will be deprecated on May 15, 2025. Existing searches will be automatically converted to [15-minute scheduled search frequency windows](/docs/alerts/scheduled-searches/schedule-search/#step-2-set-run-frequency) unless your account was explicitly excluded. If you need real-time alerts, we recommend transitioning to [Monitors](/docs/alerts/monitors/overview).
 :::
 
 Real-time alerts are scheduled searches that run nearly continuously. This means that you're informed in real time when error conditions exist.
diff --git a/docs/alerts/scheduled-searches/deprecation.md b/docs/alerts/scheduled-searches/deprecation.md
@@ -3,34 +3,45 @@ id: deprecation
 title: Deprecation of Real-Time Scheduled Searches
 ---
 
-As part of our ongoing evaluation of the Sumo Logic service, we have decided to deprecate [Real-Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert). In particular, we will remove the option to create new Real-Time Scheduled Searches on **May 29, 2024**. Existing Real-Time Scheduled Searches will continue to function until **May 15, 2025**. We believe many use cases for Real-Time Scheduled Searches can be met by [Monitors](/docs/alerts/monitors/overview). Any remaining use cases can be met by executing these searches at 15m intervals. These options are discussed below.
+:::warning Deprecation Notice
+Real-Time Scheduled Searches will be deprecated on **May 15, 2025**. As of **May 29, 2024**, creating new Real-Time Scheduled Searches is no longer supported. Existing Real-Time Searches will continue to function until the deprecation date, at which point they will automatically convert to 15-minute schedules. See below for full details.
+:::
 
-In 2020, Sumo Logic released Monitors, which provided a new framework to trigger alerts on both metrics and log data in real time and send notifications. Real-Time Scheduled Searches provided a much more limited version of this functionality, but has continued to exist in the Sumo Logic Platform.
+As part of our ongoing platform improvements, we are deprecating [Real-Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert). While this functionality has supported real-time alerting for many years, our modern alerting framework, [Monitors](/docs/alerts/monitors/overview), offers a more powerful and flexible experience for real-time and scheduled alerts.
 
-## Why is this happening?
-
-Monitors provide the same functionality as a Real-Time Scheduled Search, but offer a number of additional features and significant enhancements such as:
+## Deprecation timeline
 
-* [Multiple Trigger Conditions](/docs/alerts/monitors/create-monitor/#step-1-set-trigger-conditions) (Critical, Warning, Missing Data)
-* [Alert Grouping](/docs/alerts/monitors/alert-grouping/)
-* [Playbook Support](/docs/alerts/monitors/alert-response/#alert-details)
-* [Integration into our Alert Response Page](/docs/alerts/monitors/alert-response/)
-* [AI-Driven Alerting](/release-notes-service/2024/12/31/#march-12-2024-alerts)
+| Date | Change |
+|:-----|:-------|
+| **May 29, 2024** | Creation of new Real-Time Scheduled Searches was disabled across all Sumo Logic accounts |
+| **May 15, 2025** | All remaining Real-Time Searches will automatically convert to 15-minute schedules (except for a small number of customers with exceptions). Each conversion will be recorded via audit log. Real-Time frequency will no longer be editable. |
 
-Furthermore, Monitors will continue to be the focus area for our Product and Engineering Teams for features and enhancements regarding alerting.
+## Why is this happening?
 
-## What is happening?
+[Monitors](/docs/alerts/monitors/overview) support real-time alerting on both logs and metrics, and offer significant advantages over Scheduled Searches, including:
 
-After **May 29, 2024**, it will no longer be possible to create a new Scheduled Search with a frequency of Real-Time. We recommend you create a Monitor to address this use case. Note that this does not have any effect on the creation of new Scheduled Searches with other frequencies of 15 Minutes, Hourly, Daily, Weekly, or a specific Cron schedule for example.
+* [Multiple trigger conditions](/docs/alerts/monitors/create-monitor/#step-1-set-trigger-conditions) (Critical, Warning, Missing Data)
+* [Alert grouping](/docs/alerts/monitors/alert-grouping/)
+* [Playbook support](/docs/alerts/monitors/alert-response/#alert-details)
+* [AI-driven alerting](/release-notes-service/2024/12/31/#march-12-2024-alerts)
+* [Integration with the Alert Response page](/docs/alerts/monitors/alert-response/)
 
-Real-Time Scheduled Searches that were created up until **May 29, 2024** will continue to function without any interruption for 1 year until **May 15, 2025**, and any edits to those schedules will still be supported until the next year. Please note, however, that if the frequency of an existing Real-Time Scheduled search is modified to a different parameter, it will not be able to be changed back to Real-Time.
+Monitors are the primary focus for our Product and Engineering Teams for alerting features and enhancements.
 
 ## What do I need to do?
 
-Before **May 15, 2025**, please migrate any Real-Time Scheduled Searches to either Monitors or reduce their frequency to the minimum of 15m or another suitable time range. Any Real-Time Scheduled Searches that remain after the deprecation date will automatically be converted to 15m schedules. For each automatic conversion, there will be a corresponding audit log for this activity written to your Sumo Logic instance. 
+Before **May 15, 2025**, we recommend:
+
+* If you need real-time alerting, recreate your Real-Time Scheduled Searches as [Monitors](/docs/alerts/monitors/overview).
+   :::note Can I import a Scheduled Search into a Monitor?
+   No. Scheduled Searches and Monitors use different JSON structures. You’ll need to recreate the search logic manually in the [Monitor creation UI](/docs/alerts/monitors/create-monitor/).
+   :::
+* If real-time execution isn’t required, you can manually update your Scheduled Search to run every 15 minutes or longer.
 
-### Can I import a scheduled search into a monitor?
+After the deprecation date, all remaining Real-Time Scheduled Searches will be automatically updated to run at 15-minute intervals. An audit log entry will be generated for each conversion.
 
-No. Because the JSON formatting of Scheduled Searches differs from monitors, you'll need to create a monitor manually from the Search UI for your real-time use cases.
+:::note
+If you edit an existing Real-Time Scheduled Search and change the frequency, you will not be able to revert it back to Real-Time.
+:::
 
 If you have any questions, please reach out to your account team or open a [Support ticket](https://support.sumologic.com/support/s/).
diff --git a/docs/alerts/scheduled-searches/index.md b/docs/alerts/scheduled-searches/index.md
@@ -23,8 +23,8 @@ A _Scheduled Search_ is a standard [Log Search](/docs/search) that you save and
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/alerts/scheduled-searches/create-real-time-alert"><img src={useBaseUrl('img/icons/general/calendar.png')} alt="icon" width="40"/><h4>Create a Scheduled Search Real-Time Alert</h4></a>
-  <p>Learn how to create an alert to get notified in real-time when error conditions exist.</p>
+  <a href="/docs/alerts/scheduled-searches/create-real-time-alert"><img src={useBaseUrl('img/icons/general/calendar.png')} alt="icon" width="40"/><h4>Manage Real-Time Scheduled Search Alerts (Deprecated) </h4></a>
+  <p>Learn how to manage existing alerts to get notified in real-time when error conditions exist.</p>
   </div>
 </div>
 <div className="box smallbox card">
diff --git a/docs/search/subqueries.md b/docs/search/subqueries.md
@@ -15,7 +15,7 @@ In a subquery, the parent query contains the main body of the query while the c
 * **Parent query**. Depends on the input from a child query or queries to finish its execution.
 
 :::note Limitations
-Subqueries are not supported in auto refresh dashboards, real-time Scheduled Searches, Field Extraction Rules, and Scheduled Views.
+Subqueries are not supported in auto refresh dashboards, Field Extraction Rules, and Scheduled Views.
 :::
 
 ## Syntax
