I just did a fresh install of 7.2.4 and installed my dev/test license. I am trying to test email alert functionality, which worked on this system when a previous version was installed. The search fires and appears to trigger the alert action but it looks like sendemail is failing. This is the message in the python.log:
2019-02-08 15:45:01,734 -0500 ERROR sendemail:1397 - [HTTP 404] https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/Splunk%20Web%20Login?output_mode=json
I am not sure if this a bug which needs to have support check into it, or if it is due to using a dev/test license under this version. I did not have this issue with a dev/test license under older versions. I did set up this instance with a different admin username than admin however, so I am not sure if this is related.
Unfortunately, this appears to a limitation with the dev license. With identical settings in my prod Splunk with enterprise license, it works just fine, but the dev server returns the same 404 error you're getting.
This is the second time I've spent hours chasing an issue only to realize it is an unpublished license limitation. 😕
404 status code means the page is not found. In this case the URL seems to suggest its looking for the json output of a search named “Splunk Web Login”.
Is there a search named “Splunk Web Login” in savedsearches.conf in $splunk_home/etc/apps/search/default/