We recently upgraded to Splunk Enterprise 8.2.2 and we just had a license expire in a lower environment and never saw an alert.  Upon investigation, it looks like the search for "DMC Alert - Expired and Soon To Expire Licenses" may have an issue.  

In the search below, if I update "| where has_valid_license == 0"  to "| where has_valid_license == 1" , it displays the expired alert in the search results.  It doesn't appear this search was changed, and it is the same in all our Monitoring Console instances.  The alert was working last month before we upgraded on 7.2.x. 

Has anyone else seen the same thing?  

| rest splunk_server_group=dmc_group_license_master /services/licenser/licenses \
| join type=outer group_id splunk_server [ \
    rest splunk_server_group=dmc_group_license_master /services/licenser/groups \
    | where is_active = 1 \
    | rename title AS group_id \
    | fields is_active group_id splunk_server] \
| where is_active = 1 \
| eval days_left = floor((expiration_time - now()) / 86400) \
| where NOT (quota = 1048576 OR label == "Splunk Enterprise Reset Warnings" OR label == "Splunk Lite Reset Warnings") \
| eventstats max(eval(if(days_left >= 14, 1, 0))) as has_valid_license by splunk_server \
| where has_valid_license == 0 AND (status == "EXPIRED" OR days_left < 15) \
| eval expiration_status = case(days_left >= 14, days_left." days left", days_left < 14 AND days_left >= 0, "Expires soon: ".days_left." days left", days_left < 0, "Expired") \
| eval total_gb=round(quota/1024/1024/1024,3) \
| fields splunk_server label license_hash type group_id total_gb expiration_time expiration_status \
| convert ctime(expiration_time) \
| rename splunk_server AS Instance label AS "Label" license_hash AS "License Hash" type AS Type group_id AS Group total_gb AS Size expiration_time AS "Expires On" expiration_status AS Status