I believe the solution is to disable the feature: Create a health.conf entry in /opt/splunk/etc/system/local on the affected machines being sure to restart splunk after the entry is made.   adding:   [health_reporter] aggregate_ingestion_latency_health = 0 [feature:ingestion_latency] alert.disabled = 1   disabled = 1 ... View more

We had this problem after upgrading to v8.2.3 and have found a solution. After disabling the SplunkUniversal Forwarder, the SplunkLightForwarder and the SplunkForwarder on splunkdev01, the system returned to normal operation. These apps were enabled on the Indexer and should have been disabled by default. Also when trying to load a UniversalForwarder that is not compatible to v8.2.3, it will cause ingestion latency and tailreader errors. We had some Solaris 5.1 servers (forwarders) that are no longer compatible with upgrades so we just kept them on 8.0.5. The upgrade requires Solaris 11 or more. The first thing I did was go to the web interface, Manage Apps and searched *forward*. This showed the three Forwarders that I needed to disable and I disabled them on the interface. I also  typed these commands in unix on the indexer: splunk disable app SplunkForwarder -auth <username>:<password> splunk disable app SplunkLight -auth <username>:<password> splunk disable app SplunkUniversalForwarder -auth <username>:<password> After doing these things the ingestion latency and tailreader errors stopped. ... View more