All Apps and Add-ons

Fire Brigade - ERROR ApplicationManager - Unexpected duplicate app: TA-fire_brigade

greich
Communicator

Config: Splunk 6.x, Search head pooling, cluster of indexers.

Error on indexers:
ERROR ApplicationManager - Unexpected duplicate app: TA-fire_brigade

On the indexers we have under $SPLUNK_HOME/etc:

  • apps/TA-Fire_brigade -> lookup and monitored_index.csv
  • slave-apps/TA-Fire_brigade -> apps, macros, transforms, etc.
  • users/splunk-system-user/TA-Fire_brigade -> metadata, savedsearches

cant find anything actually duplicate

Tags (1)
0 Karma
1 Solution

Jason
Motivator

The problem is that the app (folder) TA-Fire_brigade exists in both etc/apps and etc/slave-apps. Splunk wants you to have the app in one place or the other, not both.

View solution in original post

ppablo
Retired

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

0 Karma

ckurtz
Path Finder

Often a duplicate app gets created if Splunk has to modify a file in slave_apps and cannot -- I've seen this when, for example, the app in slave_apps contains an unencrypted password and Splunk wants to encrypt it. It can't write it back to slave_apps since it's read only, so it writes it to the normal apps directory. The solution is to have the app with the password be pushed to the slaves in a different (out of band) way, or to have a secondary app that is used for this.

An example might be a cluster-bundled app (so it's pushed to slave_apps) called company_data that doesn't contain the plaintext password and a local apps/company_data_unique that is manually copied to all the indexers.

vchepkov
Explorer

It's a bug in splunk:

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues

Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning. (SPL-70433)

apfender_splunk
Splunk Employee
Splunk Employee

slave-apps is read only. Only Cluster Master can write. If an app writes to it's own files it can not live in slave-apps obvisiouly. Do not deploy with CM then, deploy manually.

0 Karma

greich
Communicator

don't seem to be able to comment your comment.
nope. renamed the cluster app, but Splunk is still complaining:

03-15-2014 04:53:08.384 +0000 ERROR ProcessTracker - (child_923039__RollFixMetadata) ApplicationManager - Unexpected duplicate app: TA-fire_brigade

03-15-2014 04:55:23.011 +0000 ERROR ProcessTracker - (child_923211__RollFixMetadata) ApplicationManager - Unexpected duplicate app: TA-fire_brigade

03-15-2014 05:14:45.425 +0000 INFO ClusterSlaveConfigReloader - The following new apps were downloaded in the new bundle - 'TA-fire_brigade-clustapp'.

03-15-2014 05:14:45.425 +0000 INFO ClusterSlaveConfigReloader - The following apps were removed from the downloaded bundle -'TA-fire_brigade'.

splunk @ /opt/splunk/etc # find -name brigade -type d

./apps/TA-fire_brigade

./users/splunk-system-user/TA-fire_brigade

./slave-apps/TA-fire_brigade-clustapp

./slave-apps.old/TA-fire_brigade

0 Karma

Jason
Motivator

The problem is that the app (folder) TA-Fire_brigade exists in both etc/apps and etc/slave-apps. Splunk wants you to have the app in one place or the other, not both.

greich
Communicator

removed the slave app altogether. Doesn't explain tho how the etc/apps got there (not in serverclass.conf).

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...