Just started getting this warning today.
![alt text][1]
Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite"
Based on the message text, I thought that there is a search with the name **Notable - Events Over Time** that must be in `savedsearches.conf` twice. Unexpectedly, it is not in */local/savedsearches.conf* at all. I checked the */default/savedsearches.conf* and that stanza does not appear twice. I saw similar issues posted [here][2] and [here][3] but these don't seem to apply in this situation.
[splunk@hostname apps]$ pwd
/opt/splunk/etc/apps
[splunk@hostname apps]$ find . -name savedsearches.conf | xargs grep -i "Notable - Events Over Time"
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default.old.20190319-222605/savedsearches.conf:[Notable - Events Over Time By Security Domain]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time]
./SplunkEnterpriseSecuritySuite/default/savedsearches.conf:[Notable - Events Over Time By Security Domain]
[splunk@hostname apps]$
I don't see any duplicate or copy that's listed in the error message. Really puzzled...
2019-05-17 01:56:10,620+0000 WARNING pid=16225 tid=MainThread file=configuration_check.py:run:228 | status="completed" task="confcheck_es_correlationmigration" message="Configuration file settings may be duplicated in multiple apps: stanza="Notable - Events Over Time" conf_type="savedsearches" apps="SplunkEnterpriseSecuritySuite,SplunkEnterpriseSecuritySuite""
[1]: /storage/temp/272740-es-error.png
[2]: https://answers.splunk.com/answers/735470/splunk-es-configuration-errors-on-splunk-ui.html
[3]: https://answers.splunk.com/answers/523527/configuration-file-settings-may-be-duplicated-in-m-1.html
↧