- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi at all,
I installed Enterprise Security 7.2.0 on Splunk 9.1.1 and I'm receiving the following message:
Unable to initialize modular input "confcheck_es_bias_language_cleanup" defined in the app "SplunkEnterpriseSecuritySuite": Unable to locate suitable script for introspection..
I searched on the documentation and at https://docs.splunk.com/Documentation/ES/7.2.0/Install/Upgradetonewerversion#After_upgrading_to_vers... I fond the following indication:
To prevent the display of the error messages, follow these workaround steps:
Modify following file:
On the search head cluster: /opt/splunk/etc/shcluster/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec On a standalone ES instance this file: /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
Add the following comment at the end of the file:
###### Conf File Check for Bias Language ######
#[confcheck_es_bias_language_cleanup://default]
#debug = <boolean>
(optional) If you are on standalone search head, follow these additional steps:
Push changes to search head cluster by pushing the bundle apps.
Clean the messages from the top of the page so that they do not display again.
. In case of a standalone search head, restart the Splunk process.
passing that in the page they are speaking of an upgrade and i'm newly installing, that the file name is wrong (input.conf instead inputs.conf) and that they say to modify a .spec file, but how commented statements can solve an issue?
Obviously this solution didn't solved my issue.
Is there anyone that can hint a solution to my issue?
Thank you in avdance.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi at all,
Splunk Support solved my issue in a very strange way that I report for the other people of Community:
- I removed the stanza from the default folder,
- I added a stanza wioth disabled = 1 in local folder,
- I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file.
I didn't understand why the last step, but at least solved my issue.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
A modular input must have a specification so that Splunk knows how to let you configure it
https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec
So you need to have the confcheck_es_whsatever type of input defined.
Check your .spec files for stanza _not_ commented out.
If you don't have it - add it. Or remove inputs of this type altogether.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @PickleRick,
thank you for your help!
I tried to set the debug to false and to disable it but without success,
do you think that i could comment all the input stanza?
Thank you again.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
It's not about disabling it because then the input is still defined, just disabled. So you'd probably nees to edit the default/ files to remove the stanza altogether which of course is a bad idea. So I'd go for fixing the spec file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi at all,
Splunk Support solved my issue in a very strange way that I report for the other people of Community:
- I removed the stanza from the default folder,
- I added a stanza wioth disabled = 1 in local folder,
- I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file.
I didn't understand why the last step, but at least solved my issue.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, we encountered the same issue after upgrading Splunk ES to 7.2.0.
I am kindly asking to be more detailed by what do you mean by :
- I removed the stanza from the default folder, (which file in the default folder?)
- I added a stanza with disabled = 1 in local folder, (again, in which file you added the stanza?)
Also, are you referring to this recommendation (Ref: hxxps://docs.splunk.com/Documentation/ES/7.2.0/RN/KnownIssues )?
- Add the following comment at the end of the file.
Conf File Check for Bias Language
[confcheck_es_bias_language_cleanup://default]
debug = <boolean>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)