Installation

Error message in Enterprise Security

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I installed Enterprise Security 7.2.0 on Splunk 9.1.1 and I'm receiving the following message:

Unable to initialize modular input "confcheck_es_bias_language_cleanup" defined in the app "SplunkEnterpriseSecuritySuite": Unable to locate suitable script for introspection..

I searched on the documentation and at https://docs.splunk.com/Documentation/ES/7.2.0/Install/Upgradetonewerversion#After_upgrading_to_vers... I fond the following indication:

 

To prevent the display of the error messages, follow these workaround steps:

Modify following file:
On the search head cluster: /opt/splunk/etc/shcluster/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec On a standalone ES instance this file: /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
Add the following comment at the end of the file:
###### Conf File Check for Bias Language ######
#[confcheck_es_bias_language_cleanup://default]
#debug = <boolean>
(optional) If you are on standalone search head, follow these additional steps:
Push changes to search head cluster by pushing the bundle apps.
Clean the messages from the top of the page so that they do not display again.
. In case of a standalone search head, restart the Splunk process.

 

passing that in the page they are speaking of an upgrade and i'm newly installing, that the file name is wrong (input.conf instead inputs.conf) and that they say to modify a .spec file, but how commented statements can solve an issue?

Obviously this solution didn't solved my issue.

Is there anyone that can hint a solution to my issue?

Thank you in avdance.

Ciao.

Giuseppe

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi at all,

Splunk Support solved my issue in a very strange way that I report for the other people of Community:

  • I removed the stanza from the default folder,
  • I added a stanza wioth disabled = 1 in local folder,
  • I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file.

I didn't understand why the last step, but at least solved my issue.

Ciao.

Giuseppe

 

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

A modular input must have a specification so that Splunk knows how to let you configure it

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec

So you need to have the confcheck_es_whsatever type of input defined.

Check your .spec files for stanza _not_ commented out.

If you don't have it - add it. Or remove inputs of this type altogether.

gcusello
SplunkTrust
SplunkTrust

Hi @PickleRick,

thank you for your help!

I tried to set the debug to false and to disable it but without success,
do you think that i could comment all the input stanza?

Thank you again.

Ciao.

Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's not about disabling it because then the input is still defined, just disabled. So you'd probably nees to edit the default/ files to remove the stanza altogether which of course is a bad idea. So I'd go for fixing the spec file.

gcusello
SplunkTrust
SplunkTrust

Hi @PickleRick,

I'll try tomorrow morning to remove the full default stanza.

thank You.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi at all,

Splunk Support solved my issue in a very strange way that I report for the other people of Community:

  • I removed the stanza from the default folder,
  • I added a stanza wioth disabled = 1 in local folder,
  • I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file.

I didn't understand why the last step, but at least solved my issue.

Ciao.

Giuseppe

 

catanoium
Loves-to-Learn Everything

Hi, we encountered the same issue after upgrading Splunk ES to 7.2.0.

I am kindly asking to be more detailed by what do you mean by :

  • I removed the stanza from the default folder, (which file in the default folder?)
  • I added a stanza with disabled = 1 in local folder, (again, in which file you added the stanza?)

Also, are you referring to this recommendation (Ref: hxxps://docs.splunk.com/Documentation/ES/7.2.0/RN/KnownIssues )?

  1. Add the following comment at the end of the file.

    Conf File Check for Bias Language

    [confcheck_es_bias_language_cleanup://default]

    debug = <boolean>

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @catanoium ,

As you can read in the last action, the file is inputs.conf.

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...