Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ES - Configuration file settings may be duplicated in multiple apps

DEAD_BEEF
Builder
‎05-16-2019 07:10 PM

Just started getting this warning today.
alt text

Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite"

Based on the message text, I thought that there is a search with the name Notable - Events Over Time that must be in savedsearches.conf twice. Unexpectedly, it is not in /local/savedsearches.conf at all. I checked the /default/savedsearches.conf and that stanza does not appear twice. I saw similar issues posted here and here but these don't seem to apply in this situation.

[splunk@hostname apps]$ pwd
/opt/splunk/etc/apps
[splunk@hostname apps]$ find . -name savedsearches.conf | xargs grep -i "Notable - Events Over Time"
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time By Security Domain]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time By Security Domain]
[splunk@hostname apps]$

I don't see any duplicate or copy that's listed in the error message. Really puzzled...

2019-05-17 01:56:10,620+0000 WARNING pid=16225 tid=MainThread file=configuration_check.py:run:228 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite""
es-error.png
Preview file
14 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

Reply
Solved! Jump to solution

treven
Explorer
‎05-03-2024 10:18 AM

This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post! 

0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎05-17-2019 06:24 AM

@harsmarvania57 this was it! It was one of the users with the exact named search. Please change your response to an answer so I can accept. Thank you!

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎05-17-2019 06:26 AM

Glad that it solved the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top