Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk ES - Configuration Errors on Splunk UI

vinkumar_splunk
Splunk Employee
Splunk Employee
‎03-21-2019 10:20 PM

We noticed Configuration Errors on Splunk UI, Investigated the errors and this is from the rules. No changes made to rule. We even disabled some set of rules, but still, see the errors.

Message:

Configuration file settings may be duplicated in multiple apps: stanza="Endpoint - Outbreak Observed - Rule" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SA-EndpointProtection""

0 Karma
Reply

mbadhusha_splun
Splunk Employee
Splunk Employee
‎03-22-2019 12:09 AM

Looks like you have two savedsearches.conf for a similar saved search on your ES search head. You cannot have multiple saved searches that carry the same name.

The configuration checker script that runs in the background will flag this as a warning message to the UI as you're observing.

The saved search "Endpoint - Outbreak Observed - Rule" is present in the below two savedsearches.conf which is causing a conflict here.

find . -name savedsearches.conf | xargs grep -i "Endpoint - Outbreak Observed - Rule"
./apps/SA-EndpointProtection/default/savedsearches.conf:[Endpoint - Outbreak Observed - Rule]
./apps/SA-EndpointProtection/local/savedsearches.conf:[Endpoint - Outbreak Observed - Rule]
./users/kquesada/SplunkEnterpriseSecuritySuite/local/savedsearches.conf:[Endpoint - Outbreak Observed - Rule]

It's doubtful a user had cloned this search and saved it with the same name as the Splunk UI will report the error:

"A saved search with that name already exists"

In this case, I'm assuming that the savedsearches.conf file for "Endpoint - Outbreak Observed - Rule" may have been manually copied to the user's folder in $SPLUNK_etc/users/~

To fix this, you'll need to remove either reference to this search or rename the one in the user directory.

You will observe the below logs when you run into this issue.

REF:

2019-03-18 17:22:38,988+0000 WARNING pid=36415 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Endpoint - Outbreak Observed - Rule" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SA-EndpointProtection""
host = secsplunk-sc2-es1.vmware.com source = /opt/splunkcoreengine/ce_customers/0014000000KBwJnAAL/1319898/secsplunk-sc2-es1.vmware.com-sh_idx_uf_hf_lf_dplyr_cm_ds_ls_-20190319-073940/log/configuration_check.log sourcetype = configuration_check

2019-03-18 17:12:38,472+0000 WARNING pid=29372 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Endpoint - Outbreak Observed - Rule" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SA-EndpointProtection""

Hope this helps!

0 Karma
Reply

LukeMurphey
Champion
‎03-21-2019 10:56 PM

This means that there are two savedsearches.conf files in different apps that both provide modifications to the "Endpoint - Outbreak Observed - Rule" search. It is best not to have two conf files overriding the same saved search from different apps because this can cause conflicts that cause some of the customizations to appear be overridden.

This is easy to fix though. To fix this, go to the filesystem on the search head (or deployer if using SHC). You would likely do this by accessing the search head via SSH (assuming you are using Linux).

Open the file $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf and find the entry for "Endpoint - Outbreak Observed - Rule". Move this entry to $SPLUNK_HOME/etc/apps/SA-EndpointProtection/local/savedsearches.conf in order to put it in the same app as the one where the search was defined.

0 Karma
Reply

deepashri_123
Motivator
‎03-21-2019 10:27 PM

Hey vinkumar,

Can you try renaming your search?
Your problem looks similar to this answer:
https://answers.splunk.com/answers/523527/configuration-file-settings-may-be-duplicated-in-m-1.html

Let me know if this helps!!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...