I upgraded from splunk 6.2.5 to 7.0. It seemed to work, but I get KV store errors. no luck on resolving those errors.
I then tried to upgrade from 7.0 to 7.3 - and the wizard end prematurely. The O/S is a vm running W2K12.
The splunk user is a domain user and an admin., the files/folder all have permissions for the user as full-control.
Short of removing and re-installing - what can I be looking for? The log file just says: "FatalError1"
Thanks,
eholz1
There is a default log file in AppData/Local/Temp/splunk.log
, and you can force more logging with $ msiexec /I <splunk-MSI> /l*v <log-file>
. The problem is almost always that Splunk cannot write to the disk because of a permission problem.
Thanks, will check the file in the temp folder, I have been using the msiexec method to start it. I have new problem now!
Ouch - the splunkd service will not stay running!
Thanks for the input,
eholz1
So you got through the install wizard?
Hello woodcock,
Well, it seems the issue is permissions as you indicated. A domain user is set to run the splunkd service.
and from what I read the "splunkuser" should have access to D:\Program Files\Splunk....
Does this user also have to have permissions on D:...?
I am unable to set permissions on some files and folders under Splunk/... when I attempt to set the permissions some folders/files return "access denied"
I will do more research tomorrow
Thanks,
eholz1
Hi eholz1,
The installer should be ensuring that all permissions are correct, so unless that is failing (which should be recorded in the %TEMP%/splunk.log
file that @woodcock mentioned---search for icacls
), there really shouldn't be a problem there. However, what is true for some directories\files is that although the user that splunkd executes as has access, you as a member of Administrators, or whatever, may not. That is somewhat unconventional for Windows, but it is not a bug per se.
Hope this clarifies some.
Cheers,
Hello jhornsby,
Thanks for the reply, I will check icacls and see what it shows.
there is no splunk.log file in %TEMP%, I will assume that %TEMP% is that user/appdata/local/splunk, etc.
Thanks for the tip, I will check things out (again) and get back one way or the other.
eholz1
Found the problem. there were two bogus ca pem files in the /etc/auth folder,
I delete those, and the install completed. Thanks,
forgot to mention the processor is intel -