All Apps and Add-ons

Configuration file settings may be duplicated in multiple apps

kent_farries
Path Finder

It looks like Security Essentials has a conflict (Duplicate Search) with Enterprise Security. Can you please update the app to resolve this issue.

Configuration file settings may be duplicated in multiple apps: stanza="Unique_Hosts_Logged_Into_Per_Day" file="savedsearches" apps="Splunk_Security_Essentials,SplunkEnterpriseSecuritySuite"

0 Karma

cjecwest
Explorer

Hi - was there ever a resolution to this? The messages are annoying and I'm not really sure how to remedy the duplicated stanza other than commenting them out if one of the savedsearches configurations. Is that all I need to do?
Thanks,

kent_farries
Path Finder

In my case it was my SOC team who had created search in Enterprise Security with the same name. We just renamed the search in Enterprise Security to resolve the issue.

cjecwest
Explorer

Thanks Kent,
Any insight on how to rename searches? I have identified duplicate named searches for different apps, but there doesn't seem to be a GUI way to do that.
Thanks,
Jeff

0 Karma

kent_farries
Path Finder

It has been a while since I did this but generally speaking I searched all the .conf files for the string Unique_Hosts_Logged_Into_Per_Day and once I found the files I edited the stanza in the .conf file directly. The file was savedsearches.conf in one of the ES apps under etc/apps.

e.g.
\etc\apps\SplunkEnterpriseSecuritySuite\local\savedsearches.conf

Old Stanza
[Unique_Hosts_Logged_Into_Per_Day]

New Stanza
[MyCompany Unique_Hosts_Logged_Into_Per_Day]

0 Karma

cjecwest
Explorer

Interesting - now receiving messages with the renamed stanza and I only changed one savedsearch.conf.

0 Karma

cjecwest
Explorer

Thanks, that's helpful. Interestingly, I am seeing messages similar that report the duplication is in the same app.

0 Karma

kent_farries
Path Finder

I had some extra cycles to troubleshoot this and it looks like my SOC team had created a search in Enterprise Security with the same name a while back. I just renamed the saved search in ES.

You can ignore this issue.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...