Skip to main content
Sumo Logic

Restricted Operators in Dashboards

There are some restrictions when you use operators with dashboards.

Dashboard restrictions

The following operators can't be used with dashboards:

  • Details
  • InferSignatures
  • LogReduce
  • LogCompare
  • Parse multi
  • Sample (internal-use operator)
  • Save
  • Transaction

Live mode restrictions

The following operators can't be used in Live mode:

  • Compare With can be used when your query's aggregate operation is grouped by a timeslice
  • Details
  • First
  • InferSignatures
  • Join
  • Last
  • LogReduce
  • LogCompare
  • Now
  • Outlier will omit the first N (window size) data points in results because those data points are used in the training phase.
  • Parse Using
  • Sample (internal-use operator)
  • Save
  • Sessionize
  • Threat Intel
  • Trace
  • Timeslice greater than 1 day
  • Transactionize

Include only after the first group-by phrase

The following operators can be used in Dashboard Panels, but in the search they must be included after the first "group-by" phrase: 

  • Accum
  • Backshift
  • Diff
  • Join
  • Limit
  • RollingStd
  • Smooth
  • Sort
  • Top
  • Total
  • Transaction By Flow

Notes

For the transaction operator, tables generated with unordered data can be added to dashboards. Flow Diagrams cannot be added to Dashboards.

You can use the count_frequent operator in dashboard queries, but the number of results returned is limited to the top 100 most frequent results. All results are available when the search is run on the Search page, but only the top 100 are displayed in the Panel.

Sumo Logic provides support for optimization to improve the efficiency of searches in Interactive dashboards. See Optimize Panels in Interactive Dashboards.