All Apps and Add-ons

Configuration file settings may be duplicated in multiple apps after installing splunk app for pci compliance

EPS_SPLUNK
Explorer

After installing splunk 6.6.3 i have configured log sending from various sources: windows servers, Linux servers, vmware esxvcenter and esxi. The last action was installing and initialy configuring splunk-app-for-pci-compliance-splunk-enterprise_341.spl.
But finally i got a lot of messages (above 1000 during weekend) like
Configuration file settings may be duplicated in multiple apps: stanza="Utils - Top REST by duration" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"
Can you help me how to prevent this flood of messages?

Tags (1)

jcooper_tzt
Explorer

Just an FYI for anyone else coming across this issue, Enterprise Security also comes with it's own SA-Utils which has a lot of functionality baked into it that is not in the SA-VMNetAppUtils app, so you cannot disable it. I'm uncertain how to resolve the duplicates in this instance because we are attempting to setup Netapp ONTAP logging on the same instance as ES (not recommended I know, but it's a standalone instance/demo environment).

0 Karma

nickhills
Ultra Champion

I would open a ticket with support - typically I think that app is sold with proServices to perform the install.
It is possibly just a case of disabling the duplicate extractions in the PCI app but you should check with support first, in case they recommend disabling the other TA/SAs as preference.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!

If my comment helps, please give it a thumbs up!
0 Karma

EPS_SPLUNK
Explorer

I wrote to support and they told me, that i had do disable SA-Utils app. And this helped me to solve the problem.

0 Karma

nickhills
Ultra Champion

Great news, please be sure to accept my answer and up vote if I helped - It means future visitors know you found a solution!

If my comment helps, please give it a thumbs up!
0 Karma

EPS_SPLUNK
Explorer

I have tried to reboot Splunk enterprise server, but it doesn't help me. I still have a lot of messages like:

Configuration file settings may be duplicated in multiple apps: stanza="Utils - User Realnames - Lookup Gen" conf_type="savedsearches" apps="SA-VMNetAppUtils,SA-Utils"
Configuration file settings may be duplicated in multiple apps: stanza="Utils - Top REST by duration" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"

and so on

0 Karma

hardikJsheth
Motivator

Did you restart your Splunk server after installing PCI app?

0 Karma

EPS_SPLUNK
Explorer

After restarting i still have several hundreds messages per day:

Configuration file settings may be duplicated in multiple apps: stanza="Per-Panel Filtering - Activity By User Over Time" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"

Configuration file settings may be duplicated in multiple apps: stanza="Utils - Top REST actions by sourcetype" conf_type="savedsearches" apps="SA-Utils,SA-VMNetAppUtils"

Configuration file settings may be duplicated in multiple apps: stanza="Utils - User Realnames - Lookup Gen" conf_type="savedsearches" apps="SA-VMNetAppUtils,SA-Utils"

0 Karma

EPS_SPLUNK
Explorer

I still have the same problems.

0 Karma

nickhills
Ultra Champion

Where are these messages displayed - on Stdout when you restart?

If my comment helps, please give it a thumbs up!
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!