I tried with 6.5.0 on Linux (64 bit) and alerts seem to work.
Maybe post the alert you are trying?
I tried a very simple saved search that I scheduled to run every minute:
error | head 3000 | stats count by host
And put a small threshold and the alert was put in list of Triggered Alerts and I received an email.
Can you say more? Given an example? Do you mean you don't see the alert in the list of triggered alerts?
I had the same problem with this alert on my search head "sourcetype=splunkd action=login status=failure" I monitor bad login events and trigger an email to splunk admins. However, after the 6.5 upgrade, I noticed alerts from this sourcetype were not working. I had to re-enable the monitor for "splunkd.log" Now my alerts are triggering.. Make sure you monitors are still in place.. From the Command line on your forwarders try "./bin/splunk list monitor" This will provide a list of monitors in place. Not sure why the splunkd.log dropped off, but now its being forwarded to the indexer fine!
Im having the same issues after upgrading to 6.5. Splunkd is definatley monitored and searchable from my indexers. No scheduled searches are running.
We have found a solution : the issue was the \n character (maybe a change with the SPL in the v6.5 ) in some of our alerts.
Please find below the answer of splunk support on this :
"We have a few related sounding known issues like this (listed below).
Your one actually isn't documented externally yet though.
Internal reference (which you can us when talking to support/accounts team is SPL-129846). It is a regression bug, and is due to be fixed in 6.5.1.
SPL-34347 = wmi input default fields - with value including newlines doesn't search properly becasue of \r\n issue
SPL-74209, SPL-74167 = Persistent queues are not created on Windows for stanzas that contain unusual characters (such as < and >).
Workaround: Specify the persistentQueue explicitly in the input definition.
SPL-78179 = REST /saved/searches App names with special characters have invalid links. "