Thank you! index=_internal source=*scheduler.log status!=success OR NOT INFO savedsearch_name="[name of saved search here]" | dedup reason | table reason In my case, reason == "maxRtsearches limit reached"

Great. For future growth, there should be logs in _internal stating that this limit has been reached... I think. If you found those you could consider setting up a (non-realtime) alert for them to add more cores / add more search heads / increase the limit.

That did the trick. I changed base_max_searches and max_rt_search_multiplier and now they're all showing up in Jobs and my test one is responding properly.

There are two limits to be concerned about here, one is the number of real-time searches your user can run (see Settings -> Authentication -> Roles), the other is the number of real-time searches your Search Head can run (see limits.conf, depends on the number of cores your SH has).

Not sure how the limit for the nobody user is calculated though.

It appears the number of searches may be partially responsible. When I have just one real-time alert in the savedsearches.conf file it appears to work correctly, but when I get up to 6, it stops working. The requirements being fulfilled by Splunk require as many as 14 real time searches to trigger alerts when necessary, so I definitely need some kind of solution to this problem.

Yeah, running in system/local isn't such a great idea... however, if they're still not running if moved to an app context then there's gotta be an error message for that that's different from the system/local one.

I see 8 searches in the Jobs view, but not one for each of my alerts. Four have their status marked as "Done", while 4 others (which are some of my alerts, but not the one I'm using for testing) have the status "Running (100%).

I see an entry in the scheduler log indicating that it cannot execute scheduled searches that live at the system level for some reason, but I'm getting the same behavior regardless of whether my savedsearches.conf file is in apps/search/local or system/local (with a restart after moving the file so the searches are moved into an app context).

I see. There's a huge list of things that could be going wrong. Is the search running in the job inspector and showing results? What's the trigger condition and similar configs for the alert? Anything suspicious / erroring in _internal?

The search for the alert is real-time, not scheduled. I'm just using the fact that the entry is showing up in search using the same criteria to prove to myself that the event was received.