DOCS-780 - Real-time sched search deprecation

blog-service/2021/12-31.md

@@ -618,13 +618,13 @@ Update - [Scheduled View](/docs/manage/scheduled-views "Scheduled Views") quer
 ---
 ## March 16, 2021 (Alerts)
 
-Update - We have resolved a discrepancy in the notification payload of [Real Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert).
+Update - We have resolved a discrepancy in the notification payload of Real-Time Scheduled Searches.
 
 Previously, the payload for subsequent real time alerts in a given time range would incrementally report the results and omit the records that were already present in the previous alert.
 
 For example, if the Scheduled Search initially returned 10 records, the first alert notification would contain 10 records in the payload. If the next run contained the same 10 records plus 1 additional, the notification payload would only contain the single new record.
 
-Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
+Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real-Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
 
 ---
 ## March 12, 2021-12 (Collection)

blog-service/2024/12-31.md

@@ -827,7 +827,7 @@ For information, see [Metrics Explorer](/docs/metrics/metrics-queries/metrics-ex
 
 As part of our ongoing evaluation of the Sumo Logic service, we have decided to deprecate [Real-Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert). In particular, we will remove the option to create new Real-Time Scheduled Searches on May 15, 2024. Existing Real-Time Scheduled Searches will continue to function until May 15, 2025. We believe many use cases for Real-Time Scheduled Searches can be met by [Monitors](/docs/alerts/monitors/overview). Any remaining use cases can be met by executing these searches at 15m intervals.
 
-In 2020, Sumo Logic released Monitors, which provided a new framework to trigger alerts on both metrics and log data in real time and send notifications. Real-Time Scheduled Searches provided a much more limited version of this functionality. Monitors will continue to be the focus area for our Product and Engineering Teams for features and enhancements regarding alerting. Learn more [here](/docs/alerts/scheduled-searches/deprecation).
+In 2020, Sumo Logic released Monitors, which provided a new framework to trigger alerts on both metrics and log data in real time and send notifications. Real-Time Scheduled Searches provided a much more limited version of this functionality. Monitors will continue to be the focus area for our Product and Engineering Teams for features and enhancements regarding alerting.
 
 ### April 26, 2024 (Apps)
 
@@ -1119,4 +1119,4 @@ For more information, see our documentation on how to [monitor credits allocatio
 
 #### Index Field
 
-We're excited to include the **Index** field as metadata at the bottom of every message row, along with other metadata. This allows you to modify the search query by clicking the index name or view surrounding messages by clicking on the dropdown. [Learn more](/docs/search/get-started-with-search/search-basics/built-in-metadata). <br/><img src={useBaseUrl('img/search/get-started-search/search-page/index-filter.png')} alt="index-filter" width="800" style={{border: '1px solid gray'}}/>
+We're excited to include the **Index** field as metadata at the bottom of every message row, along with other metadata. This allows you to modify the search query by clicking the index name or view surrounding messages by clicking on the dropdown. [Learn more](/docs/search/get-started-with-search/search-basics/built-in-metadata). <br/><img src={useBaseUrl('img/search/get-started-search/search-page/index-filter.png')} alt="index-filter" width="800" style={{border: '1px solid gray'}}/>

blog-service/2025-05-05-alerts.md

@@ -0,0 +1,17 @@
+---
+title: Real-Time Scheduled Searches Deprecation (Alerts)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - alerts
+  - scheduled searches
+  - monitors
+hide_table_of_contents: true    
+---
+
+The [previously announced](/release-notes-service/2024/12/31/#deprecation-notice---real-time-scheduled-searches) automatic conversion of Real-Time Scheduled Searches to 15-minute scheduled searches will not take place.
+
+- Existing Real-Time Scheduled Searches will continue to operate as-is.
+- Creating new Real-Time Scheduled Searches remains disabled (since May 29, 2024).
+- For new real-time alerting use cases, we recommend using [Monitors](https://help.sumologic.com/docs/alerts/monitors/overview).
+
+[Learn more](/docs/alerts/scheduled-searches/create-real-time-alert).

cid-redirects.json

@@ -3872,6 +3872,7 @@
   "/Dashboards-and-Alerts/Alerts/04-Create-an-Email-Alert": "/docs/alerts/scheduled-searches/create-email-alert",
   "/Dashboards-and-Alerts/Alerts/08-Save-to-Index": "/docs/alerts/scheduled-searches/save-to-index",
   "/Dashboards-and-Alerts/Alerts/03-Create-a-Real-Time-Alert": "/docs/alerts/scheduled-searches/create-real-time-alert",
+  "/docs/alerts/scheduled-searches/deprecation": "/docs/alerts/scheduled-searches/create-real-time-alert",
   "/Data_Enrichment": "/docs/send-data/data-enrichment",
   "/Manage/Connections_and_Integrations/Webhook_Connections": "/docs/alerts/webhook-connections",
   "/Manage/Connections_and_Integrations/Webhook_Connections/About_Webhook_Connections": "/docs/alerts/webhook-connections/set-up-webhook-connections",

docs/alerts/difference-from-scheduled-searches.md

@@ -16,7 +16,7 @@ Scheduled Searches address two primary use cases:
 
 ## Monitors
 
-Monitors are specifically designed for the first use case: alerting. They offer additional capabilities such as auto-resolution and support for multiple notification channels. Any Scheduled Searches created for alerting purposes can be moved to Monitors, including [real-time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert).
+Monitors are specifically designed for the first use case: alerting. They offer additional capabilities such as auto-resolution and support for multiple notification channels. Any Scheduled Searches created for alerting purposes can be moved to Monitors.
 
 ## Feature differences
 
@@ -31,7 +31,7 @@ Beyond the differences in use cases, there are distinct feature differences betw
 | Alert disablement | No | Yes*<br/>(Disable is a manual operation. We do not support scheduled disabling of alerts.) |
 | API support | Partial*<br/>(Supported via content sync API) | Yes |
 | Terraform support | Yes<br/>(see [content API resource](https://registry.terraform.io/providers/SumoLogic/sumologic/latest/docs/resources/content)) | Yes |
-| Log Search operator support | Yes*<br/>(Some operators are not supported for real-time alerts) | Yes |
+| Log Search operator support | Yes | Yes |
 | Outlier-based alerts | Yes | Yes |
 | Access control | Object-Level Access Control | Object-Level Access Control (Per request - limited availability) |
 | Audit logs for CRUD and system events (e.g., notifications sent, failures) | Yes | Yes |

docs/alerts/scheduled-searches/create-email-alert.md

@@ -80,17 +80,6 @@ Do either of the following:
 If you're a new user and someone has forwarded you an alert email, the links to the search will not work until you've completed your setup process.
 :::
 
-
-### Real-time alerts
-
-:::warning Solution Deprecated
-Effective May 15, 2024, Real-Time Scheduled Searches have been deprecated and you will no longer be able to create them. Real-Time Scheduled Searches created before that date will continue to function until May 15, 2025. We encourage you instead to [create a monitor](/docs/alerts/monitors/create-monitor) for use cases that require real-time alerting. [Learn more](/docs/alerts/scheduled-searches/deprecation).
-:::
-
-[Real-time alerts](create-real-time-alert.md) continuously monitor your Sumo Logic deployment, and return alert emails whenever conditions are met.
-
-Scheduled Searches run according to the time zone of an individual's computer and browser, not according to the time zone of logs.
-
 ## Customize your email alert subject and content
 
 You can use variables to customize the subject of your email. You can also select the features you want to include in your email. For details, see [Create a Scheduled Search Email Alert](create-email-alert.md).

docs/alerts/scheduled-searches/create-real-time-alert.md

@@ -1,69 +1,47 @@
 ---
 id: create-real-time-alert
-title: Create a Scheduled Search Real-Time Alert
-description: Real-time alerts notify you of error conditions right when they occur.
+title: Deprecation of Real-Time Scheduled Searches
 ---
 
-:::warning Solution Deprecated
-The ability to create new real-time alert scheduled searches has been deprecated. While you can no longer create new real-time alerts, existing real-time alerts will continue to function as before. [Learn more](/docs/alerts/scheduled-searches/deprecation).
-:::
-
-Real-time alerts are scheduled searches that run nearly continuously. This means that you're informed in real time when error conditions exist.
-
-When an alert condition is satisfied, Sumo Logic triggers the selected alert type and examines ingested data in a rolling window using the time range you define. When a new result is found, you'll receive an email.
-
-This document describes how to manage existing real-time alert scheduled searches. Although creating new real-time alerts is no longer supported, you can still view, edit, and delete existing ones.
-
-## When to use
-
-Only use real-time schedules when you know your data is ingested within a few minutes of its creation. The [receipt time](/docs/search/get-started-with-search/build-search/use-receipt-time) should be within a few minutes of your log's [message time](/docs/search/get-started-with-search/search-basics/built-in-metadata). Learn about
-troubleshooting timestamp discrepancies [here](/docs/send-data/collector-faq#troubleshooting-time-discrepancies).
+<head>
+ <meta name="robots" content="noindex" />
+</head>
 
-Real-time alerts are not duplicated, which means that if a specific raw log message has triggered an alert once already, that same log message will not trigger an alert a second time.
-
-For example, if **Message X** caused an alert to be sent at **Time T**, and Sumo Logic detects **Message X** again at **Time T+1**, Sumo Logic does not send a second alert at **Time T+1**. But if Sumo Logic detects **Message Y** at **Time T+1**, a new alert is sent, because the root cause is different.
-
-:::important
-If the time zone of messages is set incorrectly, those logs won't be picked up by real-time alerts.
+:::warning Deprecated Feature
+As of May 29, 2024, creating new Real-Time Scheduled Searches has been disabled. Existing Real-Time Scheduled Searches will continue to function as-is. For new alerting needs, we recommend using [Monitors](/docs/alerts/monitors/overview).
 :::
 
+Sumo Logic has deprecated Real-Time Scheduled Searches as part of our ongoing platform improvements. While existing searches continue to operate, [Monitors](/docs/alerts/monitors/overview) are the recommended solution for real-time and scheduled alerting going forward.
 
-## Limitations
-
-* The time range of a real-time alerts must be between 5 and 15 minutes. 
-* Searching by receipt time is not supported.
-* If your search query result is a subset of your previous run's result, a real-time alert will not trigger. It will trigger only when there are new results compared to the previous run.
-* A maximum of 120 emails are sent per day from real-time alerts.
-* Aggregate real-time scheduled searches evaluate the first 1,000 results per search. For example, if the scheduled search is supposed to return more than 1,000 results, reduce the scope of the search.
-* Non-aggregate real-time scheduled searches evaluate the first 100 results per search. For example, if the scheduled search is supposed to return more than 100 results, either convert it to aggregate scheduled search or reduce the scope of the search.
-* The [`_dataTier`](/docs/manage/partitions/data-tiers) search modifier is not supported in real-time alert searches.
+## Deprecation timeline
 
-### Operator limitations
+| Date | Change |
+|:-----|:-------|
+| **May 29, 2024** | Creation of new Real-Time Scheduled Searches was disabled across all accounts. |
+| **May 15, 2025** | Scheduled removal of real-time frequency was canceled. Existing Real-Time Scheduled Searches continue operating without change. |
 
-* Some queries cannot be used in real-time alerts searches. Other operators can be used in real-time search, but in the search, they must be included after the first "group-by" phrase:
+Real-Time Scheduled Searches are considered a legacy feature. Any edits or new creations must use Monitors instead.
 
- | Not supported for real-time alerts | Must be added after a "group by" phrase |
- | :-- | :-- |
- | <ul><li>Count_frequent</li><li>Details</li><li>First, Last - instead use the withtime option, see [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent).</li><li>LogReduce</li><li>Now()</li><li>Outlier will omit the first N (window size) data points in results because those data points are used in the training phase.</li><li>Join</li><li>Parse using</li><li>queryStartTime()</li><li>queryEndTime()</li><li>Save</li><li>Sessionize</li><li>Subquery</li><li>Threat Intel</li><li>Trace</li><li>Timeslice greater than 1 day</li><li>Transactionize</li></ul> | <ul><li>Accum</li><li>Backshift</li><li>Diff</li><li>Join</li><li>Limit</li><li>RollingStd</li><li>Smooth</li><li>Sort</li><li>Top</li><li>Total</li><li>Transaction By Flow</li><li>Compare With can be used when your query's aggregate operation is grouped by a [`timeslice`](/docs/search/search-query-language/search-operators/timeslice).</li></ul> |
+## Why is this happening?
 
-* Real-time queries using [Time Compare](/docs/search/time-compare) need to have at least three timeslices within its time range. For example, if the time range is 10 minutes, your timeslices need to be no longer than 3 minutes so that there are at least three of them.
+Monitors offer significant improvements over Real-Time Scheduled Searches, including:
 
-## Viewing existing real-time alerts
+* [Multiple trigger conditions](/docs/alerts/monitors/create-monitor/#step-1-set-trigger-conditions) (Critical, Warning, Missing Data)
+* [Alert grouping](/docs/alerts/monitors/alert-grouping/)
+* [Playbook support](/docs/alerts/monitors/alert-response/#alert-details)
+* [AI-driven alerting](/release-notes-service/2024/12/31/#march-12-2024-alerts)
+* [Integration with the Alert Response page](/docs/alerts/monitors/alert-response/)
 
-- Navigate to the **Alerts** section in your Sumo Logic dashboard.
-- Use the search functionality to locate existing real-time alerts.
+Monitors are the strategic focus for our future alerting development and enhancements.
 
-## Editing existing real-time alerts
+## What should I do?
 
-- Click on the real-time alert you wish to edit.
-- Make necessary changes to the alert parameters (such as conditions or notification settings).
-- Save your changes to update the alert.
+* For new real-time alerting needs, use Monitors.
+* If you have existing Real-Time Scheduled Searches, they will continue functioning without changes for now.
+* Edits to existing Real-Time Scheduled Searches are possible, but you cannot create new ones.
 
-## Deleting existing real-time alerts
-
-- Select the real-time alert you want to delete.
-- Click the **Delete** button and confirm the deletion.
-
-## Alternatives to real-time alerts
+:::note Can I import a scheduled search into a monitor?
+No. Because the JSON formatting of Scheduled Searches differs from monitors, you’ll need to manually recreate it as a Monitor from the Search UI for your real-time use cases.
+:::
 
-Since the creation of new real-time alerts is deprecated, we recommend using monitors to achieve similar functionality.
+If you have any questions, reach out to your account team or open a [Support ticket](https://support.sumologic.com/support/s/).