Update savedsearches.conf

default/savedsearches.conf

@@ -8665,3 +8665,29 @@ search = index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id
 | eval search_head=host \
 | eval env=`search_head_cluster`\
 | stats values(savedsearch_name) AS calling_savedsearch_name by _time, user, provenance, mode, app, identified_savedsearch_name, env, method
+
+[AllSplunkEnterpriseLevel - Unable to communicate with license manager]
+action.email.reportServerEnabled = 0
+action.keyindicator.invert = 0
+alert.suppress = 0
+alert.track = 1
+alert.digest_mode = 1
+alert.severity = 2
+auto_summarize.dispatch.earliest_time = -1d@h
+counttype = number of events
+cron_schedule = 11 * * * *
+description = Chance the alert requires action? High. This error indicates a license manager (previously master) is not accessible, if this is temporary it can be ignored but if it is persistent you have 72 hours before the license grace period expires and then the license is marked as expired. A new message of "Your Splunk license expired or you have exceeded your license limit" will appear as of 9.1.3
+dispatch.earliest_time = -1h
+dispatch.latest_time = now
+display.events.fields = ["host","source","sourcetype"]
+display.statistics.drilldown = row
+display.visualizations.charting.chart = line
+display.visualizations.show = 0
+enableSched = 1
+quantity = 0
+relation = greater than
+request.ui_dispatch_app = SplunkAdmins
+request.ui_dispatch_view = search
+search = index=_internal `splunkenterprisehosts` sourcetype=splunkd (`splunkadmins_splunkd_source`) log_level=ERROR component=LMTracker "failed to send rows" \
+| stats count, first(_raw) AS _raw, latest(_time) AS lastseen, earliest(_time) AS firstseen by host \
+| eval lastseen=strftime(lastseen, "%+"), firstseen=strftime(firstseen, "%+")