trigger condition is send email.please find the above screen shot you see where nonzero counts are exceeding 5.   ... View more

What is the exact text of the error message(s) you receive? I see below error in search head captain and status show as red. Root Cause(s): The percentage of high priority searches delayed (11%) over the last 24 hours is very high and exceeded the red thresholds (10%) on this Splunk instance. Total Searches that were part of this percentage=100. Total delayed Searches=11 Last 50 related messages:   Did anything else change besides the version of Splunk? We have not changed anything after version upgrade. What is you Splunk environment like (single instance, cluster, etc.)? Our environment is in cluster..4 indexer 3 search head 1 deployer 1 matster When you say the custom alerts are "not working" what exactly do you mean?  What are the symptoms?  Are they running at all? Have you checked the search log for the alerts? Custom alert conditions are not working. I have investigated scheduler log. I could see that status is success alert action is blank.one user raised the concern that alert is not triggering when the custom condition are met. Later we realized that its not working with all the alerts which are using custom condition. 10-31-2020 08:10:07.566 +0000 INFO SavedSplunker - savedsearch_id="XXX;search; alert", search_type="", user="XXX", app="search", savedsearch_name="XXXX alert", priority=default, status=success, digest_mode=1, scheduled_time=1604131800, window_time=0, dispatch_time=1604131805, run_time=1.785, result_count=1015, alert_actions="", sid="scheduler__smadan__search__RMD5ab6a869ca92dbacc_at_1604131800_63960_638683B3-25D9-4D2A-AF2E-4E43362FDBFA", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool="" ... View more

Adding python.version = python3 is not required as i think.Since i see that python 3 is already running. Is it correct? /splunk cmd python3 --version Python 3.7.4   Regards,Shivanand         ... View more

Hello is this solution worked for you?   regards,Shivanand ... View more

Thanks for your reply .. We are doing offline update.  Which are the splunk configurations need to check for this upgrade? Regards,Shivanand ... View more

Ok.. Better to leave as it is.. But any suggestion to maintain the retention for other index we have..They are also helding more number of data.       ... View more

Thanks for the reply. I see only jan month events for one of the index and there is no events are present till july.. I understand events are stored in the bucket and they will deleted once the buckets are rolled out.This is something strange i see.. how i need to get rid of this? ... View more

Hello Sir,   this issue has started after the up gradation to 8.0.1.Prior to that there was no issues.is there anything i need to check ... View more

I still have this issue. I. have the same concern.These errors are appears from cluster captain. ... View more

Ok. Thanks .. Let me try   ... View more

i am not using that .So i need to use that stanza for all the custom index. ... View more

Thanks for the reply. Custom indexes are created by me on indexer master node. i am speaking in master node.I am not able to see the custom indexes under settings -->indexer clustering---->indexes.... created custom indexes under below path /opt/splunk/etc/master-apps/ee_all_indexes/local  ... View more

can you please tell me which attribute consider in limits.com.we have same issue. ... View more

Even we have same issue.Can you please tell which attributes value should increase.?     ... View more

Ping is success.I am not seeing any connectivity issue.     ... View more