Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error message in Enterprise Security

gcusello
SplunkTrust
SplunkTrust
‎10-28-2023 03:11 AM

Hi at all,

I installed Enterprise Security 7.2.0 on Splunk 9.1.1 and I'm receiving the following message:

Unable to initialize modular input "confcheck_es_bias_language_cleanup" defined in the app "SplunkEnterpriseSecuritySuite": Unable to locate suitable script for introspection..

I searched on the documentation and at https://docs.splunk.com/Documentation/ES/7.2.0/Install/Upgradetonewerversion#After_upgrading_to_vers... I fond the following indication:

 

To prevent the display of the error messages, follow these workaround steps:

Modify following file:
On the search head cluster: /opt/splunk/etc/shcluster/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec On a standalone ES instance this file: /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
Add the following comment at the end of the file:
###### Conf File Check for Bias Language ######
#[confcheck_es_bias_language_cleanup://default]
#debug = <boolean>
(optional) If you are on standalone search head, follow these additional steps:
Push changes to search head cluster by pushing the bundle apps.
Clean the messages from the top of the page so that they do not display again.
. In case of a standalone search head, restart the Splunk process.

 

passing that in the page they are speaking of an upgrade and i'm newly installing, that the file name is wrong (input.conf instead inputs.conf) and that they say to modify a .spec file, but how commented statements can solve an issue?

Obviously this solution didn't solved my issue.

Is there anyone that can hint a solution to my issue?

Thank you in avdance.

Ciao.

Giuseppe

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2023 06:13 AM

Hi at all,

Splunk Support solved my issue in a very strange way that I report for the other people of Community:

  • I removed the stanza from the default folder,
  • I added a stanza wioth disabled = 1 in local folder,
  • I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file.

I didn't understand why the last step, but at least solved my issue.

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-28-2023 04:16 AM

A modular input must have a specification so that Splunk knows how to let you configure it

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec

So you need to have the confcheck_es_whsatever type of input defined.

Check your .spec files for stanza _not_ commented out.

If you don't have it - add it. Or remove inputs of this type altogether.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-28-2023 08:46 AM

Hi @PickleRick,

thank you for your help!

I tried to set the debug to false and to disable it but without success,
do you think that i could comment all the input stanza?

Thank you again.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-28-2023 09:47 AM

It's not about disabling it because then the input is still defined, just disabled. So you'd probably nees to edit the default/ files to remove the stanza altogether which of course is a bad idea. So I'd go for fixing the spec file.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-29-2023 02:32 AM

Hi @PickleRick,

I'll try tomorrow morning to remove the full default stanza.

thank You.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2023 06:13 AM

Hi at all,

Splunk Support solved my issue in a very strange way that I report for the other people of Community:

  • I removed the stanza from the default folder,
  • I added a stanza wioth disabled = 1 in local folder,
  • I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file.

I didn't understand why the last step, but at least solved my issue.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

catanoium
Loves-to-Learn Everything
‎12-19-2023 07:48 AM

Hi, we encountered the same issue after upgrading Splunk ES to 7.2.0.

I am kindly asking to be more detailed by what do you mean by :

  • I removed the stanza from the default folder, (which file in the default folder?)
  • I added a stanza with disabled = 1 in local folder, (again, in which file you added the stanza?)

Also, are you referring to this recommendation (Ref: hxxps://docs.splunk.com/Documentation/ES/7.2.0/RN/KnownIssues )?

  1. Add the following comment at the end of the file.

    Conf File Check for Bias Language

    [confcheck_es_bias_language_cleanup://default]

    debug = <boolean>

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-19-2023 11:25 PM

Hi @catanoium ,

As you can read in the last action, the file is inputs.conf.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...