It looks like Security Essentials has a conflict (Duplicate Search) with Enterprise Security. Can you please update the app to resolve this issue.
Configuration file settings may be duplicated in multiple apps: stanza="Unique_Hosts_Logged_Into_Per_Day" file="savedsearches" apps="Splunk_Security_Essentials,SplunkEnterpriseSecuritySuite"
Hi - was there ever a resolution to this? The messages are annoying and I'm not really sure how to remedy the duplicated stanza other than commenting them out if one of the savedsearches configurations. Is that all I need to do?
Thanks,
In my case it was my SOC team who had created search in Enterprise Security with the same name. We just renamed the search in Enterprise Security to resolve the issue.
Thanks Kent,
Any insight on how to rename searches? I have identified duplicate named searches for different apps, but there doesn't seem to be a GUI way to do that.
Thanks,
Jeff
It has been a while since I did this but generally speaking I searched all the .conf files for the string Unique_Hosts_Logged_Into_Per_Day and once I found the files I edited the stanza in the .conf file directly. The file was savedsearches.conf in one of the ES apps under etc/apps.
e.g.
\etc\apps\SplunkEnterpriseSecuritySuite\local\savedsearches.conf
Old Stanza
[Unique_Hosts_Logged_Into_Per_Day]
New Stanza
[MyCompany Unique_Hosts_Logged_Into_Per_Day]
Interesting - now receiving messages with the renamed stanza and I only changed one savedsearch.conf.
Thanks, that's helpful. Interestingly, I am seeing messages similar that report the duplication is in the same app.
I had some extra cycles to troubleshoot this and it looks like my SOC team had created a search in Enterprise Security with the same name a while back. I just renamed the saved search in ES.
You can ignore this issue.