Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ES - Configuration file settings may be duplicated in multiple apps

DEAD_BEEF
Builder
‎05-16-2019 07:10 PM

Just started getting this warning today.
alt text

Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite"

Based on the message text, I thought that there is a search with the name Notable - Events Over Time that must be in savedsearches.conf twice. Unexpectedly, it is not in /local/savedsearches.conf at all. I checked the /default/savedsearches.conf and that stanza does not appear twice. I saw similar issues posted here and here but these don't seem to apply in this situation.

[splunk@hostname apps]$ pwd
/opt/splunk/etc/apps
[splunk@hostname apps]$ find . -name savedsearches.conf | xargs grep -i "Notable - Events Over Time"
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time By Security Domain]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time By Security Domain]
[splunk@hostname apps]$

I don't see any duplicate or copy that's listed in the error message. Really puzzled...

2019-05-17 01:56:10,620+0000 WARNING pid=16225 tid=MainThread file=configuration_check.py:run:228 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite""
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

Reply
Solved! Jump to solution

treven
Explorer
Friday

This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post! 

0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎05-17-2019 06:24 AM

@harsmarvania57 this was it! It was one of the users with the exact named search. Please change your response to an answer so I can accept. Thank you!

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎05-17-2019 06:26 AM

Glad that it solved the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...