After installing splunk 6.6.3 i have configured log sending from various sources: windows servers, Linux servers, vmware esxvcenter and esxi. The last action was installing and initialy configuring splunk-app-for-pci-compliance-splunk-enterprise_341.spl.
But finally i got a lot of messages (above 1000 during weekend) like
Configuration file settings may be duplicated in multiple apps: stanza="Utils - Top REST by duration" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"
Can you help me how to prevent this flood of messages?
Just an FYI for anyone else coming across this issue, Enterprise Security also comes with it's own SA-Utils which has a lot of functionality baked into it that is not in the SA-VMNetAppUtils app, so you cannot disable it. I'm uncertain how to resolve the duplicates in this instance because we are attempting to setup Netapp ONTAP logging on the same instance as ES (not recommended I know, but it's a standalone instance/demo environment).
I would open a ticket with support - typically I think that app is sold with proServices to perform the install.
It is possibly just a case of disabling the duplicate extractions in the PCI app but you should check with support first, in case they recommend disabling the other TA/SAs as preference.
Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!
I wrote to support and they told me, that i had do disable SA-Utils app. And this helped me to solve the problem.
Great news, please be sure to accept my answer and up vote if I helped - It means future visitors know you found a solution!
I have tried to reboot Splunk enterprise server, but it doesn't help me. I still have a lot of messages like:
Configuration file settings may be duplicated in multiple apps: stanza="Utils - User Realnames - Lookup Gen" conf_type="savedsearches" apps="SA-VMNetAppUtils,SA-Utils"
Configuration file settings may be duplicated in multiple apps: stanza="Utils - Top REST by duration" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"
and so on
Did you restart your Splunk server after installing PCI app?
After restarting i still have several hundreds messages per day:
Configuration file settings may be duplicated in multiple apps: stanza="Per-Panel Filtering - Activity By User Over Time" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"
Configuration file settings may be duplicated in multiple apps: stanza="Utils - Top REST actions by sourcetype" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"
Configuration file settings may be duplicated in multiple apps: stanza="Utils - User Realnames - Lookup Gen" conf_type="savedsearches" apps="SA-VMNetAppUtils,SA-Utils"
I still have the same problems.
Where are these messages displayed - on Stdout when you restart?