DOCS-780 - Real-time sched search deprecation

blog-service/2021/12-31.md

@@ -618,13 +618,13 @@ Update - [Scheduled View](/docs/manage/scheduled-views "Scheduled Views") quer
 ---
 ## March 16, 2021 (Alerts)
 
-Update - We have resolved a discrepancy in the notification payload of [Real Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert).
+Update - We have resolved a discrepancy in the notification payload of Real-Time Scheduled Searches.
 
 Previously, the payload for subsequent real time alerts in a given time range would incrementally report the results and omit the records that were already present in the previous alert.
 
 For example, if the Scheduled Search initially returned 10 records, the first alert notification would contain 10 records in the payload. If the next run contained the same 10 records plus 1 additional, the notification payload would only contain the single new record.
 
-Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
+Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real-Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
 
 ---
 ## March 12, 2021-12 (Collection)

blog-service/2025-05-15-alerts.md

@@ -0,0 +1,19 @@
+---
+title: Real-Time Scheduled Searches Fully Deprecated (Alerts)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - alerts
+  - scheduled searches
+  - monitors
+hide_table_of_contents: true    
+---
+
+As of today, all remaining Real-Time Scheduled Searches have been automatically converted to 15-minute schedules. The ability to create or run Scheduled Searches with real-time frequency is no longer supported.
+
+Key details:
+* Real-Time frequency is no longer available in Scheduled Search creation or editing workflows.
+* Any previously existing Real-Time Scheduled Searches now run on a 15-minute schedule.
+* Each conversion has been recorded as an audit log event in your account.
+* A small number of accounts with approved exceptions remain unaffected.
+
+For real-time alerting, use [Monitors](/docs/alerts/monitors/overview), which provide richer capabilities such as multiple trigger conditions, alert grouping, and AI-driven insights. Learn more: [Deprecation of Real-Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert)

cid-redirects.json

@@ -3864,6 +3864,7 @@
   "/Dashboards-and-Alerts/Alerts/04-Create-an-Email-Alert": "/docs/alerts/scheduled-searches/create-email-alert",
   "/Dashboards-and-Alerts/Alerts/08-Save-to-Index": "/docs/alerts/scheduled-searches/save-to-index",
   "/Dashboards-and-Alerts/Alerts/03-Create-a-Real-Time-Alert": "/docs/alerts/scheduled-searches/create-real-time-alert",
+  "/docs/alerts/scheduled-searches/deprecation": "/docs/alerts/scheduled-searches/create-real-time-alert",
   "/Data_Enrichment": "/docs/send-data/data-enrichment",
   "/Manage/Connections_and_Integrations/Webhook_Connections": "/docs/alerts/webhook-connections",
   "/Manage/Connections_and_Integrations/Webhook_Connections/About_Webhook_Connections": "/docs/alerts/webhook-connections/set-up-webhook-connections",

docs/alerts/difference-from-scheduled-searches.md

@@ -16,7 +16,7 @@ Scheduled Searches address two primary use cases:
 
 ## Monitors
 
-Monitors are specifically designed for the first use case: alerting. They offer additional capabilities such as auto-resolution and support for multiple notification channels. Any Scheduled Searches created for alerting purposes can be moved to Monitors, including [real-time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert).
+Monitors are specifically designed for the first use case: alerting. They offer additional capabilities such as auto-resolution and support for multiple notification channels. Any Scheduled Searches created for alerting purposes can be moved to Monitors.
 
 ## Feature differences
 

docs/alerts/scheduled-searches/create-email-alert.md

@@ -80,17 +80,6 @@ Do either of the following:
 If you're a new user and someone has forwarded you an alert email, the links to the search will not work until you've completed your setup process.
 :::
 
-
-### Real-time alerts
-
-:::warning Solution Deprecated
-Effective May 15, 2024, Real-Time Scheduled Searches have been deprecated and you will no longer be able to create them. Real-Time Scheduled Searches created before that date will continue to function until May 15, 2025. We encourage you instead to [create a monitor](/docs/alerts/monitors/create-monitor) for use cases that require real-time alerting. [Learn more](/docs/alerts/scheduled-searches/deprecation).
-:::
-
-[Real-time alerts](create-real-time-alert.md) continuously monitor your Sumo Logic deployment, and return alert emails whenever conditions are met.
-
-Scheduled Searches run according to the time zone of an individual's computer and browser, not according to the time zone of logs.
-
 ## Customize your email alert subject and content
 
 You can use variables to customize the subject of your email. You can also select the features you want to include in your email. For details, see [Create a Scheduled Search Email Alert](create-email-alert.md).

docs/alerts/scheduled-searches/create-real-time-alert.md

@@ -1,69 +1,45 @@
 ---
 id: create-real-time-alert
-title: Create a Scheduled Search Real-Time Alert
-description: Real-time alerts notify you of error conditions right when they occur.
+title: Deprecation of Real-Time Scheduled Searches
 ---
 
-:::warning Solution Deprecated
-The ability to create new real-time alert scheduled searches has been deprecated. While you can no longer create new real-time alerts, existing real-time alerts will continue to function as before. [Learn more](/docs/alerts/scheduled-searches/deprecation).
+:::warning Deprecated Feature
+As of **May 15, 2025**, Real-Time Scheduled Searches are officially deprecated and no longer run in real time. All remaining Real-Time Scheduled Searches have been automatically converted to 15-minute schedules. For real-time alerting, use [Monitors](/docs/alerts/monitors/overview).
 :::
 
-Real-time alerts are scheduled searches that run nearly continuously. This means that you're informed in real time when error conditions exist.
+As part of our ongoing platform improvements, Sumo Logic has officially deprecated [Real-Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert). These legacy searches have been replaced by [Monitors](/docs/alerts/monitors/overview), which offer more powerful, scalable, and flexible alerting capabilities.
 
-When an alert condition is satisfied, Sumo Logic triggers the selected alert type and examines ingested data in a rolling window using the time range you define. When a new result is found, you'll receive an email.
 
-This document describes how to manage existing real-time alert scheduled searches. Although creating new real-time alerts is no longer supported, you can still view, edit, and delete existing ones.
+## Deprecation timeline
 
-## When to use
+| Date | Change |
+|:-----|:-------|
+| **May 29, 2024** | Creation of new Real-Time Scheduled Searches was disabled across all Sumo Logic accounts |
+| **May 15, 2025** | All remaining Real-Time Scheduled Searches were automatically converted to 15-minute schedules (except for a small number of approved exceptions). An audit log entry was created for each conversion. |
 
-Only use real-time schedules when you know your data is ingested within a few minutes of its creation. The [receipt time](/docs/search/get-started-with-search/build-search/use-receipt-time) should be within a few minutes of your log's [message time](/docs/search/get-started-with-search/search-basics/built-in-metadata). Learn about
-troubleshooting timestamp discrepancies [here](/docs/send-data/collector-faq#troubleshooting-time-discrepancies).
+Real-Time frequency is no longer supported, and any attempt to edit or recreate a real-time schedule will default to 15-minute intervals.
 
-Real-time alerts are not duplicated, which means that if a specific raw log message has triggered an alert once already, that same log message will not trigger an alert a second time.
 
-For example, if **Message X** caused an alert to be sent at **Time T**, and Sumo Logic detects **Message X** again at **Time T+1**, Sumo Logic does not send a second alert at **Time T+1**. But if Sumo Logic detects **Message Y** at **Time T+1**, a new alert is sent, because the root cause is different.
+## Why did this change happen?
 
-:::important
-If the time zone of messages is set incorrectly, those logs won't be picked up by real-time alerts.
-:::
-
-
-## Limitations
-
-* The time range of a real-time alerts must be between 5 and 15 minutes. 
-* Searching by receipt time is not supported.
-* If your search query result is a subset of your previous run's result, a real-time alert will not trigger. It will trigger only when there are new results compared to the previous run.
-* A maximum of 120 emails are sent per day from real-time alerts.
-* Aggregate real-time scheduled searches evaluate the first 1,000 results per search. For example, if the scheduled search is supposed to return more than 1,000 results, reduce the scope of the search.
-* Non-aggregate real-time scheduled searches evaluate the first 100 results per search. For example, if the scheduled search is supposed to return more than 100 results, either convert it to aggregate scheduled search or reduce the scope of the search.
-* The [`_dataTier`](/docs/manage/partitions/data-tiers) search modifier is not supported in real-time alert searches.
-
-### Operator limitations
+[Monitors](/docs/alerts/monitors/overview) support real-time alerting on both logs and metrics, and offer significant advantages over Scheduled Searches, including:
 
-* Some queries cannot be used in real-time alerts searches. Other operators can be used in real-time search, but in the search, they must be included after the first "group-by" phrase:
+* [Multiple trigger conditions](/docs/alerts/monitors/create-monitor/#step-1-set-trigger-conditions) (Critical, Warning, Missing Data)
+* [Alert grouping](/docs/alerts/monitors/alert-grouping/)
+* [Playbook support](/docs/alerts/monitors/alert-response/#alert-details)
+* [AI-driven alerting](/release-notes-service/2024/12/31/#march-12-2024-alerts)
+* [Integration with the Alert Response page](/docs/alerts/monitors/alert-response/)
 
- | Not supported for real-time alerts | Must be added after a "group by" phrase |
- | :-- | :-- |
- | <ul><li>Count_frequent</li><li>Details</li><li>First, Last - instead use the withtime option, see [`most_recent` and `least_recent`](/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent).</li><li>LogReduce</li><li>Now()</li><li>Outlier will omit the first N (window size) data points in results because those data points are used in the training phase.</li><li>Join</li><li>Parse using</li><li>queryStartTime()</li><li>queryEndTime()</li><li>Save</li><li>Sessionize</li><li>Subquery</li><li>Threat Intel</li><li>Trace</li><li>Timeslice greater than 1 day</li><li>Transactionize</li></ul> | <ul><li>Accum</li><li>Backshift</li><li>Diff</li><li>Join</li><li>Limit</li><li>RollingStd</li><li>Smooth</li><li>Sort</li><li>Top</li><li>Total</li><li>Transaction By Flow</li><li>Compare With can be used when your query's aggregate operation is grouped by a [`timeslice`](/docs/search/search-query-language/search-operators/timeslice).</li></ul> |
+Monitors are the strategic focus for our future alerting development and enhancements.
 
-* Real-time queries using [Time Compare](/docs/search/time-compare) need to have at least three timeslices within its time range. For example, if the time range is 10 minutes, your timeslices need to be no longer than 3 minutes so that there are at least three of them.
+## What should I do?
 
-## Viewing existing real-time alerts
+If you're still relying on Scheduled Searches for real-time alerting, we strongly recommend migrating to Monitors for the most accurate, flexible, and reliable experience.
 
-- Navigate to the **Alerts** section in your Sumo Logic dashboard.
-- Use the search functionality to locate existing real-time alerts.
-
-## Editing existing real-time alerts
-
-- Click on the real-time alert you wish to edit.
-- Make necessary changes to the alert parameters (such as conditions or notification settings).
-- Save your changes to update the alert.
-
-## Deleting existing real-time alerts
-
-- Select the real-time alert you want to delete.
-- Click the **Delete** button and confirm the deletion.
+:::note Can I import a Scheduled Search into a Monitor?
+No. Scheduled Searches and Monitors use different JSON structures. You’ll need to recreate the search logic manually in the [Monitor creation UI](/docs/alerts/monitors/create-monitor/).
+:::
 
-## Alternatives to real-time alerts
+If your use case doesn't require real-time execution, your automatically converted Scheduled Search will continue to run every 15 minutes. However, it may be a good time to consider consolidating logic in Monitors for long-term maintenance.
 
-Since the creation of new real-time alerts is deprecated, we recommend using monitors to achieve similar functionality.
+If you have any questions, please contact your account team or open a [Support ticket](https://support.sumologic.com/support/s/).

docs/alerts/scheduled-searches/index.md

@@ -21,12 +21,6 @@ A _Scheduled Search_ is a standard [Log Search](/docs/search) that you save and
   <p>Learn how to create a Scheduled Search email alert.</p>
   </div>
 </div>
-<div className="box smallbox card">
-  <div className="container">
-  <a href="/docs/alerts/scheduled-searches/create-real-time-alert"><img src={useBaseUrl('img/icons/general/calendar.png')} alt="icon" width="40"/><h4>Create a Scheduled Search Real-Time Alert</h4></a>
-  <p>Learn how to create an alert to get notified in real-time when error conditions exist.</p>
-  </div>
-</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/alerts/scheduled-searches/edit-cancel"><img src={useBaseUrl('img/icons/general/calendar.png')} alt="icon" width="40"/><h4>Edit or Cancel a Scheduled Search</h4></a>

docs/contributing/glossary.md

@@ -24,7 +24,7 @@ We also maintain a [DevOps and Security Glossary](https://www.sumologic.com/glos
 
 **[Aggregate](/docs/search/search-query-language/group-aggregate-operators)**. A group of data returned by a search, displayed in a simple table in the Aggregates tab of the Search page.
 
-**[Alert](/docs/alerts)**. A notification you can configure for a scheduled search. There are multiple alert types: Email, Script Action, ServiceNow Connection, Webhook, Save to Index, and Real Time Alerts.
+**[Alert](/docs/alerts)**. A notification you can configure for a scheduled search. There are multiple alert types, such as Email, Script Action, ServiceNow Connection, Webhook, and Save to Index.
 
 **[Allowlist](/docs/manage/security/create-allowlist-ip-cidr-addresses)**. Sumo Logic’s Service Allowlist Settings allow you to explicitly grant access to specific IP addresses and/or CIDR notations for logins, APIs, and dashboard access.
 

docs/contributing/word-list.md

@@ -149,8 +149,6 @@ If we are not clear on its usage, the term shouldn’t be used at all: Don't use
 
 ## R
 
-**Real Time**. As in Real Time alerts. Use two words, no hyphen. Should always be capitalized when referring to Real Time alerts, as that is a feature name. Not capitalized for a general use, as in "real time analysis".
-
 **Repo**. Short for repository. No need to spell out repository as our audience is technical enough for this to be clear.