Reporting

Splunk ES - Configuration file settings may be duplicated in multiple apps

Builder

Just started getting this warning today.
alt text

Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite" 

Based on the message text, I thought that there is a search with the name Notable - Events Over Time that must be in savedsearches.conf twice. Unexpectedly, it is not in /local/savedsearches.conf at all. I checked the /default/savedsearches.conf and that stanza does not appear twice. I saw similar issues posted here and here but these don't seem to apply in this situation.

[splunk@hostname apps]$ pwd
/opt/splunk/etc/apps
[splunk@hostname apps]$ find . -name savedsearches.conf | xargs grep -i "Notable - Events Over Time"
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time By Security Domain]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time By Security Domain]
[splunk@hostname apps]$

I don't see any duplicate or copy that's listed in the error message. Really puzzled...

2019-05-17 01:56:10,620+0000 WARNING pid=16225 tid=MainThread file=configuration_check.py:run:228 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite""
0 Karma
1 Solution

SplunkTrust
SplunkTrust

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

View solution in original post

SplunkTrust
SplunkTrust

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

View solution in original post

Builder

@harsmarvania57 this was it! It was one of the users with the exact named search. Please change your response to an answer so I can accept. Thank you!

0 Karma

SplunkTrust
SplunkTrust

Glad that it solved the issue.

0 Karma