I have the same problem and I'm stuck a bit, can someone help me find some ideas? in the splunk search head web interface => settings => advance settings => distributed search => search peer => the "replication status" column is in "initial" state when it should be successful when I perform a health check I get a message that tells me "opportunity to move from search head pooling to search head cluster" disabling then re-enabling the indexer cluster could be a solution. I'm a little afraid of breaking everything by doing this.

@ITWhisperer  The base search is - index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" and the logs with this search looks like-  amal_ResourceGroup: PLANALLOC-GSAS-NONPROD-D01-EUS2-GSAS-RG amal_ResourceName: ALLOCD01GSASTENANTCOSMOSDBACCOUNT01 - COSMOSDB ACCOUNT ADMIN OPERATION amal_ResourceType: MICROSOFT.INSIGHTS/ACTIVITYLOGALERTS amal_SubscriptionId: 09406B3B-B643-4E86-876E-4CD5F5A8BE57 caller: Microsoft.Insights/ActivityLogAlerts category: Alert correlationId: 6132ca53-ed10-4f13-8c2a-5496dd7decde identity: { [+] } level: Informational location: global operationName: Microsoft.Insights/ActivityLogAlerts/Activated/action properties: { [+] } resourceId: /subscriptions/09406b3b-b643-4e86-876e-4cd5f5a8be57/resourceGroups/planalloc-gsas-nonprod-d01-eus2-gsas-rg/providers/microsoft.insights/activityLogAlerts/allocd01gsastenantcosmosdbaccount01 - CosmosDB Account Admin Operation resultDescription: Alert: allocd01gsastenantcosmosdbaccount01 - CosmosDB Account Admin Operation called on action groups : alloceus2d01ag01 resultType: Succeeded time: 2023-11-06T11:53:58.8277854Z I have a field called "metricName" one of those values are CpuPercentage , MemoryPercentage etc. listed in the image So I am filtering my search with the metricName like this -  index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" metricName="MemoryPercentage" OR metricName="CpuPercentage" The condition for the alert is - when the count of CPUPercentage > 85 and MemoryPercentage > 85, it should trigger and alert.

Hi @Bisho-Fouad , I'm sorry I couldn't help you more. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated

This will give you what you have asked for, although I am not sure of the value of it as if your timeframe is wide enough, you will eventually get more than 85 events of each metric. index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" | chart count by index, metricName | where CpuPercentage > 85 AND MemoryPercentage > 85 , 

@ITWhisperer  CPUPercentage and MemoryPercentage are the field values of a field called metricName. The condition for the alert is - when the count of CPUPercentage > 85 and MemoryPercentage > 85, it should trigger an alert.   Please refer to the screenshot attached.

@ITWhisperer  The logs look like this - amdl_ResourceGroup: PLANALLOC-GSAS-NONPROD-IACD01-EUS2-GSAS-RG amdl_ResourceName: ALLOC-EUS2-IACD01-GSAS-WINASP01 amdl_ResourceType: MICROSOFT.WEB/SERVERFARMS amdl_SubscriptionId: 09406B3B-B643-4E86-876E-4CD5F5A8BE57 average: 0 count: 1 maximum: 0 metricName: CpuPercentage minimum: 0 resourceId: /SUBSCRIPTIONS/09406B3B-B643-4E86-876E-4CD5F5A8BE57/RESOURCEGROUPS/PLANALLOC-GSAS-NONPROD-IACD01-EUS2-GSAS-RG/PROVIDERS/MICROSOFT.WEB/SERVERFARMS/ALLOC-EUS2-IACD01-GSAS-WINASP01 time: 2023-11-06T11:38:00Z timeGrain: PT1M total: 0

Depening on how many Apps are disregarded by the Readiness App you could check the Outlier Apps on Splunkbase. If your currently installed version supports Splunk 9.x it should support Python 3 as well. A note regarding 9.x Upgrades: While upgrading to 9.x  from 8.x or lower; check how much storage your KV Stores take up on your systems. The KV Storage gets upgraded in the process of the Update and Splunk wants to backup all Kvstores in the process. This requires at least twice the amount of storage your KVStores currently use. If you don't do so you have to manually upgrade them afterwards instead of as part of the Splunk Upgrade Process.