Restricted Operators in Dashboards

This page has information about restrictions and rules about using Sumo Logic log search operators with dashboards.

Dashboard restrictions

The following operators cannot be used with dashboards:

• Details
• LogReduce
• LogCompare
• Parse multi
• Sample (internal-use operator)
• Save

Auto refresh restrictions

The following operators cannot be used in Auto refresh:

• Compare With can be used when your query's aggregate operation is grouped by a timeslice
• Details
• First, Last - instead use the withtime option, see most_recent and least_recent.
• Join
• LogReduce
• LogCompare
• Now
• Outlier will omit the first N (window size) data points in results because those data points are used in the training phase.
• Parse Using
• queryStartTime()
• queryEndTime()
• Save
• Sessionize
• Subquery
• Threat Intel
• Trace
• Timeslice greater than 1 day
• Transactionize

The following search modifier cannot be used in Auto refresh.

• _dataTier

Include only after the first group-by phrase

You can use the following operators in dashboard panels:

• Accum
• Backshift
• Diff
• Join
• Limit
• RollingStd
• Smooth
• Sort
• Top
• Total
• Transaction By Flow

Example

"error"
| timeslice 1d
| count by _timeslice
| sort by _timeslice asc
| accum _count as running_total

Notes

You can use the count_frequent operator in dashboard queries, but the number of results returned is limited to the top 100 most frequent results. All results are available when the search is run on the Search page, but only the top 100 are displayed in the Panel.