Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ES - Configuration file settings may be duplicated in multiple apps

DEAD_BEEF
Builder
‎05-16-2019 07:10 PM

Just started getting this warning today.
alt text

Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite"

Based on the message text, I thought that there is a search with the name Notable - Events Over Time that must be in savedsearches.conf twice. Unexpectedly, it is not in /local/savedsearches.conf at all. I checked the /default/savedsearches.conf and that stanza does not appear twice. I saw similar issues posted here and here but these don't seem to apply in this situation.

[splunk@hostname apps]$ pwd
/opt/splunk/etc/apps
[splunk@hostname apps]$ find . -name savedsearches.conf | xargs grep -i "Notable - Events Over Time"
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time By Security Domain]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time By Security Domain]
[splunk@hostname apps]$

I don't see any duplicate or copy that's listed in the error message. Really puzzled...

2019-05-17 01:56:10,620+0000 WARNING pid=16225 tid=MainThread file=configuration_check.py:run:228 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite""
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎05-17-2019 12:57 AM

I encountered this issue few months back and I have had Scheduled search with same title but one was private and other one was shared on app level. Please check in $SPLUNK_HOME/etc/users/ with same saved search.

Reply
Solved! Jump to solution

treven
Explorer
yesterday

This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post! 

0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎05-17-2019 06:24 AM

@harsmarvania57 this was it! It was one of the users with the exact named search. Please change your response to an answer so I can accept. Thank you!

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎05-17-2019 06:26 AM

Glad that it solved the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...