Did you get this resolved? I'm having the exact same issue. - a ref="<reportname>" works fine with the restricted read permissions (no access to index data) but I cannot pass tokens to the report - a <query>| savedsearch <reportname> tokens=$tokens$ works fine for results but cannot run as report owner   How does one run as the report owner and still pass in tokens?   ... View more

I believe that this came from Christopher Boggs: index=_internal source=*license_usage.log* type=Usage | timechart span=1h sum(b) AS volume_b | predict algorithm=LLP period=24 volume_b as prediction future_timespan=24 | addinfo | where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d") | fields - info* | eval merged = coalesce(volume_b, prediction) | stats sum(merged) as predicted_volume sum(volume_b) as volume_so_far | eval volume_so_far=round(volume_so_far/1024/1024/1024,2) | eval predicted_volume=round(predicted_volume/1024/1024/1024,2) ... View more