All Apps and Add-ons

Fire Brigade - ERROR ApplicationManager - Unexpected duplicate app: TA-fire_brigade

Communicator

Config: Splunk 6.x, Search head pooling, cluster of indexers.

Error on indexers:
ERROR ApplicationManager - Unexpected duplicate app: TA-fire_brigade

On the indexers we have under $SPLUNK_HOME/etc:

  • apps/TA-Firebrigade -> lookup and monitoredindex.csv
  • slave-apps/TA-Fire_brigade -> apps, macros, transforms, etc.
  • users/splunk-system-user/TA-Fire_brigade -> metadata, savedsearches

cant find anything actually duplicate

Tags (1)
0 Karma
1 Solution

Motivator

The problem is that the app (folder) TA-Fire_brigade exists in both etc/apps and etc/slave-apps. Splunk wants you to have the app in one place or the other, not both.

View solution in original post

Community Manager
Community Manager

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

0 Karma

SplunkTrust
SplunkTrust

Often a duplicate app gets created if Splunk has to modify a file in slaveapps and cannot -- I've seen this when, for example, the app in slaveapps contains an unencrypted password and Splunk wants to encrypt it. It can't write it back to slave_apps since it's read only, so it writes it to the normal apps directory. The solution is to have the app with the password be pushed to the slaves in a different (out of band) way, or to have a secondary app that is used for this.

An example might be a cluster-bundled app (so it's pushed to slaveapps) called companydata that doesn't contain the plaintext password and a local apps/companydataunique that is manually copied to all the indexers.

Explorer

It's a bug in splunk:

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues

Clustering error "unexpected duplicate app" for apps in both $SPLUNKHOME/etc/apps and $SPLUNKHOME/etc/slave-apps. When a lookup or a configuration file is created it goes to the /etc/apps, while the same file may exists in the /etc/slave-apps, causing this warning. (SPL-70433)

Splunk Employee
Splunk Employee

slave-apps is read only. Only Cluster Master can write. If an app writes to it's own files it can not live in slave-apps obvisiouly. Do not deploy with CM then, deploy manually.

0 Karma

Communicator

don't seem to be able to comment your comment.
nope. renamed the cluster app, but Splunk is still complaining:

03-15-2014 04:53:08.384 +0000 ERROR ProcessTracker - (child923039RollFixMetadata) ApplicationManager - Unexpected duplicate app: TA-firebrigade

03-15-2014 04:55:23.011 +0000 ERROR ProcessTracker - (child923211RollFixMetadata) ApplicationManager - Unexpected duplicate app: TA-firebrigade

03-15-2014 05:14:45.425 +0000 INFO ClusterSlaveConfigReloader - The following new apps were downloaded in the new bundle - 'TA-fire_brigade-clustapp'.

03-15-2014 05:14:45.425 +0000 INFO ClusterSlaveConfigReloader - The following apps were removed from the downloaded bundle -'TA-fire_brigade'.

splunk @ /opt/splunk/etc # find -name brigade -type d

./apps/TA-fire_brigade

./users/splunk-system-user/TA-fire_brigade

./slave-apps/TA-fire_brigade-clustapp

./slave-apps.old/TA-fire_brigade

0 Karma

Motivator

The problem is that the app (folder) TA-Fire_brigade exists in both etc/apps and etc/slave-apps. Splunk wants you to have the app in one place or the other, not both.

View solution in original post

Communicator

removed the slave app altogether. Doesn't explain tho how the etc/apps got there (not in serverclass.conf).

0 Karma