Solved: Re: Fire Brigade - ERROR ApplicationManager - Unex...

greich · ‎03-11-2014

Config: Splunk 6.x, Search head pooling, cluster of indexers.

Error on indexers:
ERROR ApplicationManager - Unexpected duplicate app: TA-fire_brigade

On the indexers we have under $SPLUNK_HOME/etc:

apps/TA-Fire_brigade -> lookup and monitored_index.csv
slave-apps/TA-Fire_brigade -> apps, macros, transforms, etc.
users/splunk-system-user/TA-Fire_brigade -> metadata, savedsearches

cant find anything actually duplicate

Jason · ‎03-11-2014

The problem is that the app (folder) TA-Fire_brigade exists in both etc/apps and etc/slave-apps. Splunk wants you to have the app in one place or the other, not both.

View solution in original post

ppablo · ‎10-22-2015

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

ckurtz · ‎02-20-2015

Often a duplicate app gets created if Splunk has to modify a file in slave_apps and cannot -- I've seen this when, for example, the app in slave_apps contains an unencrypted password and Splunk wants to encrypt it. It can't write it back to slave_apps since it's read only, so it writes it to the normal apps directory. The solution is to have the app with the password be pushed to the slaves in a different (out of band) way, or to have a secondary app that is used for this.

An example might be a cluster-bundled app (so it's pushed to slave_apps) called company_data that doesn't contain the plaintext password and a local apps/company_data_unique that is manually copied to all the indexers.

vchepkov · ‎10-06-2014

It's a bug in splunk:

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues

Clustering error "unexpected duplicate app" for apps in both $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning. (SPL-70433)

apfender_splunk · ‎06-27-2014

slave-apps is read only. Only Cluster Master can write. If an app writes to it's own files it can not live in slave-apps obvisiouly. Do not deploy with CM then, deploy manually.

greich · ‎03-14-2014

don't seem to be able to comment your comment.
nope. renamed the cluster app, but Splunk is still complaining:

03-15-2014 04:53:08.384 +0000 ERROR ProcessTracker - (child_923039__RollFixMetadata) ApplicationManager - Unexpected duplicate app: TA-fire_brigade

03-15-2014 04:55:23.011 +0000 ERROR ProcessTracker - (child_923211__RollFixMetadata) ApplicationManager - Unexpected duplicate app: TA-fire_brigade

03-15-2014 05:14:45.425 +0000 INFO ClusterSlaveConfigReloader - The following new apps were downloaded in the new bundle - 'TA-fire_brigade-clustapp'.

03-15-2014 05:14:45.425 +0000 INFO ClusterSlaveConfigReloader - The following apps were removed from the downloaded bundle -'TA-fire_brigade'.

splunk @ /opt/splunk/etc # find -name brigade -type d

./apps/TA-fire_brigade

./users/splunk-system-user/TA-fire_brigade

./slave-apps/TA-fire_brigade-clustapp

./slave-apps.old/TA-fire_brigade

Jason · ‎03-11-2014

The problem is that the app (folder) TA-Fire_brigade exists in both etc/apps and etc/slave-apps. Splunk wants you to have the app in one place or the other, not both.

greich · ‎03-17-2014

removed the slave app altogether. Doesn't explain tho how the etc/apps got there (not in serverclass.conf).

Fire Brigade - ERROR ApplicationManager - Unexpected duplicate app: TA-fire_brigade

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!