Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ES - Configuration file settings may be duplicated in multiple apps

DEAD_BEEF
Builder
‎05-16-2019 07:10 PM

Just started getting this warning today.
alt text

Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite"

Based on the message text, I thought that there is a search with the name Notable - Events Over Time that must be in savedsearches.conf twice. Unexpectedly, it is not in /local/savedsearches.conf at all. I checked the /default/savedsearches.conf and that stanza does not appear twice. I saw similar issues posted here and here but these don't seem to apply in this situation.

[splunk@hostname apps]$ pwd
/opt/splunk/etc/apps
[splunk@hostname apps]$ find . -name savedsearches.conf | xargs grep -i "Notable - Events Over Time"
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time By Security Domain]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time By Security Domain]
[splunk@hostname apps]$

I don't see any duplicate or copy that's listed in the error message. Really puzzled...

2019-05-17 01:56:10,620+0000 WARNING pid=16225 tid=MainThread file=configuration_check.py:run:228 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite""
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

Reply
Solved! Jump to solution

treven
Explorer
‎05-03-2024 10:18 AM

This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post! 

0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎05-17-2019 06:24 AM

@harsmarvania57 this was it! It was one of the users with the exact named search. Please change your response to an answer so I can accept. Thank you!

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎05-17-2019 06:26 AM

Glad that it solved the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...