Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Splunk ES - Configuration Errors on Splunk UI
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk ES - Configuration Errors on Splunk UI
We noticed Configuration Errors on Splunk UI, Investigated the errors and this is from the rules. No changes made to rule. We even disabled some set of rules, but still, see the errors.
Message:
Configuration file settings may be duplicated in multiple apps: stanza="Endpoint - Outbreak Observed - Rule" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SA-EndpointProtection""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you have two savedsearches.conf for a similar saved search on your ES search head. You cannot have multiple saved searches that carry the same name.
The configuration checker script that runs in the background will flag this as a warning message to the UI as you're observing.
The saved search "Endpoint - Outbreak Observed - Rule" is present in the below two savedsearches.conf which is causing a conflict here.
find . -name savedsearches.conf | xargs grep -i "Endpoint - Outbreak Observed - Rule"
./apps/SA-EndpointProtection/default/savedsearches.conf:[Endpoint - Outbreak Observed - Rule]
./apps/SA-EndpointProtection/local/savedsearches.conf:[Endpoint - Outbreak Observed - Rule]
./users/kquesada/SplunkEnterpriseSecuritySuite/local/savedsearches.conf:[Endpoint - Outbreak Observed - Rule]
It's doubtful a user had cloned this search and saved it with the same name as the Splunk UI will report the error:
"A saved search with that name already exists"
In this case, I'm assuming that the savedsearches.conf file for "Endpoint - Outbreak Observed - Rule" may have been manually copied to the user's folder in $SPLUNK_etc/users/~
To fix this, you'll need to remove either reference to this search or rename the one in the user directory.
You will observe the below logs when you run into this issue.
REF:
2019-03-18 17:22:38,988+0000 WARNING pid=36415 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Endpoint - Outbreak Observed - Rule" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SA-EndpointProtection""
host = secsplunk-sc2-es1.vmware.com source = /opt/splunkcoreengine/ce_customers/0014000000KBwJnAAL/1319898/secsplunk-sc2-es1.vmware.com-sh_idx_uf_hf_lf_dplyr_cm_ds_ls_-20190319-073940/log/configuration_check.log sourcetype = configuration_check
2019-03-18 17:12:38,472+0000 WARNING pid=29372 tid=MainThread file=configuration_check.py:run:165 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Endpoint - Outbreak Observed - Rule" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SA-EndpointProtection""
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This means that there are two savedsearches.conf files in different apps that both provide modifications to the "Endpoint - Outbreak Observed - Rule" search. It is best not to have two conf files overriding the same saved search from different apps because this can cause conflicts that cause some of the customizations to appear be overridden.
This is easy to fix though. To fix this, go to the filesystem on the search head (or deployer if using SHC). You would likely do this by accessing the search head via SSH (assuming you are using Linux).
Open the file $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf and find the entry for "Endpoint - Outbreak Observed - Rule". Move this entry to $SPLUNK_HOME/etc/apps/SA-EndpointProtection/local/savedsearches.conf in order to put it in the same app as the one where the search was defined.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey vinkumar,
Can you try renaming your search?
Your problem looks similar to this answer:
https://answers.splunk.com/answers/523527/configuration-file-settings-may-be-duplicated-in-m-1.html
Let me know if this helps!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
