If the alert was working >2 days ago, you might have an issue with search concurrency. Do you have a lot of other scheduled and/or real-time searches running? Every real-time search consumes a CPU core, and there is a concurrent search limit both at the user level, and at the search head (global) level. You can download SoS (https://splunkbase.splunk.com/app/748/) to troubleshoot search concurrency, or SUM (https://splunkbase.splunk.com/app/2678/) to troubleshoot scheduled searches not running. You need access to index=_internal to use either app.
... View more