Archive

Splunk Install wizard ends prematurely

Path Finder

I upgraded from splunk 6.2.5 to 7.0. It seemed to work, but I get KV store errors. no luck on resolving those errors.

I then tried to upgrade from 7.0 to 7.3 - and the wizard end prematurely. The O/S is a vm running W2K12.
The splunk user is a domain user and an admin., the files/folder all have permissions for the user as full-control.

Short of removing and re-installing - what can I be looking for? The log file just says: "FatalError1"

Thanks,
eholz1

0 Karma

Esteemed Legend

There is a default log file in AppData/Local/Temp/splunk.log, and you can force more logging with $ msiexec /I <splunk-MSI> /l*v <log-file>. The problem is almost always that Splunk cannot write to the disk because of a permission problem.

0 Karma

Path Finder

Thanks, will check the file in the temp folder, I have been using the msiexec method to start it. I have new problem now!
Ouch - the splunkd service will not stay running!

Thanks for the input,

eholz1

0 Karma

Esteemed Legend

So you got through the install wizard?

0 Karma

Path Finder

Hello woodcock,

Well, it seems the issue is permissions as you indicated. A domain user is set to run the splunkd service.
and from what I read the "splunkuser" should have access to D:\Program Files\Splunk....

Does this user also have to have permissions on D:...?

I am unable to set permissions on some files and folders under Splunk/... when I attempt to set the permissions some folders/files return "access denied"

I will do more research tomorrow

Thanks,
eholz1

0 Karma

Splunk Employee
Splunk Employee

Hi eholz1,

The installer should be ensuring that all permissions are correct, so unless that is failing (which should be recorded in the %TEMP%/splunk.log file that @woodcock mentioned---search for icacls), there really shouldn't be a problem there. However, what is true for some directories\files is that although the user that splunkd executes as has access, you as a member of Administrators, or whatever, may not. That is somewhat unconventional for Windows, but it is not a bug per se.

Hope this clarifies some.

Cheers,

  • Jo.
0 Karma

Path Finder

Hello jhornsby,

Thanks for the reply, I will check icacls and see what it shows.
there is no splunk.log file in %TEMP%, I will assume that %TEMP% is that user/appdata/local/splunk, etc.

Thanks for the tip, I will check things out (again) and get back one way or the other.

eholz1

0 Karma

Path Finder

Found the problem. there were two bogus ca pem files in the /etc/auth folder,
I delete those, and the install completed. Thanks,

0 Karma

Path Finder

forgot to mention the processor is intel -

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!