All Apps and Add-ons

Configuration file settings may be duplicated in multiple apps

kent_farries
Path Finder

It looks like Security Essentials has a conflict (Duplicate Search) with Enterprise Security. Can you please update the app to resolve this issue.

Configuration file settings may be duplicated in multiple apps: stanza="Unique_Hosts_Logged_Into_Per_Day" file="savedsearches" apps="Splunk_Security_Essentials,SplunkEnterpriseSecuritySuite"

0 Karma

cjecwest
Explorer

Hi - was there ever a resolution to this? The messages are annoying and I'm not really sure how to remedy the duplicated stanza other than commenting them out if one of the savedsearches configurations. Is that all I need to do?
Thanks,

kent_farries
Path Finder

In my case it was my SOC team who had created search in Enterprise Security with the same name. We just renamed the search in Enterprise Security to resolve the issue.

cjecwest
Explorer

Thanks Kent,
Any insight on how to rename searches? I have identified duplicate named searches for different apps, but there doesn't seem to be a GUI way to do that.
Thanks,
Jeff

0 Karma

kent_farries
Path Finder

It has been a while since I did this but generally speaking I searched all the .conf files for the string Unique_Hosts_Logged_Into_Per_Day and once I found the files I edited the stanza in the .conf file directly. The file was savedsearches.conf in one of the ES apps under etc/apps.

e.g.
\etc\apps\SplunkEnterpriseSecuritySuite\local\savedsearches.conf

Old Stanza
[Unique_Hosts_Logged_Into_Per_Day]

New Stanza
[MyCompany Unique_Hosts_Logged_Into_Per_Day]

0 Karma

cjecwest
Explorer

Interesting - now receiving messages with the renamed stanza and I only changed one savedsearch.conf.

0 Karma

cjecwest
Explorer

Thanks, that's helpful. Interestingly, I am seeing messages similar that report the duplication is in the same app.

0 Karma

kent_farries
Path Finder

I had some extra cycles to troubleshoot this and it looks like my SOC team had created a search in Enterprise Security with the same name a while back. I just renamed the saved search in ES.

You can ignore this issue.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...