I am trying to install Splunk Universal forwarder using CLI Install process. But, it doesn’t seem to install the software. Below is the command line I am using to install:
msiexec.exe /i splunkforwarder-8.0.2.1-f002026bad55-x64-release.msi /l*v install_splunkforwarder-x64-release.msi.log SPLUNKUSERNAME="username" SPLUNKPASSWORD="password" AGREETOLICENSE=Yes RECEIVING_INDEXER="SOME_INDEXER:PORT" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENT_SET_ENABLE=1 /quiet
Let me know if there is anything wrong with the script. Log indicates that the install is successful, but I dont see the software installed.
I ran this in verbose mode so I could log the error and got this..
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 1708
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2205 2: 3: Error
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2205 2: 3: Error
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
MSI (s) (14:B8) [18:54:17:279]: Product: UniversalForwarder -- Installation failed.
MSI (s) (14:B8) [18:54:17:279]: Windows Installer installed the product. Product Name: UniversalForwarder. Product Version: 8.0.2.1. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 1603.
MSI (s) (14:B8) [18:54:17:290]: Deferring clean up of packages/files, if any exist
MSI (s) (14:B8) [18:54:17:290]: MainEngineThread is returning 1603
MSI (s) (14:64) [18:54:17:290]: No System Restore sequence number for this installation.
=== Logging stopped: 10/7/2020 18:54:17 ===
MSI (s) (14:64) [18:54:17:293]: User policy value 'DisableRollback' is 0
MSI (s) (14:64) [18:54:17:293]: Machine policy value 'DisableRollback' is 0
MSI (s) (14:64) [18:54:17:293]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (14:64) [18:54:17:294]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (14:64) [18:54:17:294]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (14:64) [18:54:17:294]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (14:64) [18:54:17:295]: Destroying RemoteAPI object.
MSI (s) (14:38) [18:54:17:295]: Custom Action Manager thread ending.
MSI (c) (1C:24) [18:54:17:297]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (1C:24) [18:54:17:298]: MainEngineThread is returning 1603
=== Verbose logging stopped: 10/7/2020 18:54:17 ===
Any idea what this means?
just want to ask you to make sure you followed these steps:
Configure your Windows environment prior to installation
The following steps are high-level. For step-by-step instructions, see Prepare your Windows network for a Splunk Enterprise installation as a network or domain user in the Splunk Enterprise Installation Manual.
Have credentials for the Splunk admin user ready
When you install the universal forwarder, you must create credentials for the Splunk administrator user. The installer does not create credentials for the user. Think of a user name and password and be ready to supply them when you perform the installation. If you do not supply at least a password during a silent installation, the universal forwarder can install without any users defined, which prevents login. You must then create a user-seed.conf file to fix the problem and restart the forwarder.
See Create secure administrator credentials in Securing Splunk for more information on how to create credentials for the Splunk administrator account.
(PS - i have given around 350+ karma points so far, received badge for that,.. maybe you also should start "Learn, Give Back, Have Fun")
Hi @anandgattu
Have you tried to run the installation without the "/quiet" option? Just to double check there is no error during the process.
I would also check permissions for the user that is running the install command.
@anandgattuI have tried running the installation using the command you provided.
Actually my log files have returned some errors and the forwarder was not installed.
In my case, the errors were happening due to password complexity. So, I would also reccomend you to check if you are meeting Splunk security requirements for admin password.
@alonsocaio I tried without /quiet, but still the same. And the password I am using meets the password requirements for the admin password.
When you tried without the /quiet It returned you a successful installation from the Splunk installer window?
Also, could you please provide more information about OS version? Is it 32 or 64 bits?