Getting Data In

Error message during installation of Splunk 7.3.1

ngerosa
Path Finder

Hi all,
I'm trying to install Splunk 7.3.1 on my company computer but at a certain moment I receive this error:

"Error writing to file: C:\ProgramFiles|Splunk\share\splunk\search_mrsparkle\exposed\js\shim\splunk.pdf.js."
I'm administrator on this PC and I tried, with no success, to modify permission, on security tab, of the properties of the folder.

Could anyone help me?

Thank you!

0 Karma

woodcock
Esteemed Legend

Did you try doing what the error told you to do?

0 Karma

ngerosa
Path Finder

What error?

0 Karma

woodcock
Esteemed Legend

The error in your OP. Did you try to modify permission, on security tab, of the properties of the folder?

0 Karma

ngerosa
Path Finder

The error is "Error writing to file: C:\ProgramFiles|Splunk\share\splunk\search_mrsparkle\exposed\js\shim\splunk.pdf.js."
The second part of my message is what I have done to try to solve the issue ("I tried, with no success, to modify permission, on security tab, of the properties of the folder.").

0 Karma

woodcock
Esteemed Legend

I never install splunk in Program Files because some of the paths are too long for Windows. Always install it in the root of a drive.

0 Karma

ngerosa
Path Finder

Hi woodcock,
I tried to install in the root of the drive but I have the same error

0 Karma

nareshinsvu
Builder

Were you able to successfully install previous versions of Splunk on the same machine?

Did you try re-downloading the software again and install?

0 Karma

ngerosa
Path Finder

Hi nareshinsvu,
is first installation on this PC. Yes, I tried also with older version but with same result.

Cheers
Nicolò

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi again Nicolò,

This is really very weird. The only thing I can think of suggesting now is running Sysinternals' Process Monitor and seeing if that tells you anything. You can download it here: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Good luck!

Cheers,

- Jo.

0 Karma

ngerosa
Path Finder

Hi Jo,
I installed and runned Sysinternals' Process Monitor. What, specifically, should I look for?

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi Nicolò,

I'd suggest looking for that error, and then look at the history of that file and it's parent directories. Hopefully there'll be a smoking gun there.

Cheers,

  • Jo.
    • List item
0 Karma

nareshinsvu
Builder

Looks like some issue with your operating system (suspicion only). Did you try any other alternative options?

https://docs.splunk.com/Documentation/Splunk/7.3.1/Installation/DeployandrunSplunkEnterpriseinsideDo...

0 Karma

ngerosa
Path Finder

I have not Linux OS, I have problem only with my windows laptop that I use in office.
In the past I installed Splunk on my private laptop without any problems.

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi ngerosa,

Is this an upgrade, or a fresh installation?

Cheers,

- Jo.

0 Karma

ngerosa
Path Finder

Hi Jo,
it's first installation on this PC.

Cheers
Nicolò

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi Nicolò,

Is it the 64-bit version of Splunk Enterprise you're trying to install? What user are you trying to install it as?

Did you copy and paste that error? It doesn't look quite right...

Can you re-try installation like so:

msiexec /l*vx msiexec.log /i splunk-7.3.1-bd63e13aa157-x64-release.msi

And then search for "return value 3" in that file, and paste the 20 lines before that error?

Cheers,

- Jo.

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi again Nicolò,

Also, if Splunk is not installed, it may be worth renaming (or deleting) "C:\Program Files\Splunk" before attempting the installation.

Cheers,

- Jo.

0 Karma

ngerosa
Path Finder

Hi Jo,
I tried to install using your command but in the msiexec.log there is no "Return value 3"; I find only "Return value 1".
The complete error is: "Error writing to file: C:\ProgramFiles|Splunk\share\splunk\search_mrsparkle\exposed\js\shim\splunk.pdf.js. Verify that you have access to that directory."

There is no folder, before installing Splunk, with "Splunk" as name.

Cheers
Nicolò

0 Karma

ngerosa
Path Finder

Sorry Jo, I found "Return Value 3":

Property(S): OriginalDatabase = C:\Users\gerosan\splunk-7.3.1-bd63e13aa157-x64-release.msi
Property(S): UILevel = 5
Property(S): Preselected = 1
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): SOURCEDIR = C:\Users\gerosan\
Property(S): SourcedirProduct = {562A3BD0-3B05-4C80-A93F-0AA1AD74E79F}
Property(S): ProductToBeRegistered = 1
MSI (s) (C8:D4) [17:04:35:885]: MainEngineThread is returning 1603
MSI (s) (C8:3C) [17:04:35:893]: User policy value 'DisableRollback' is 0
MSI (s) (C8:3C) [17:04:35:893]: Machine policy value 'DisableRollback' is 0
MSI (s) (C8:3C) [17:04:35:893]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (C8:3C) [17:04:35:894]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (C8:3C) [17:04:35:894]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (C8:3C) [17:04:35:895]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (C8:3C) [17:04:35:895]: Restoring environment variables
MSI (s) (C8:3C) [17:04:35:896]: Destroying RemoteAPI object.
MSI (s) (C8:14) [17:04:35:896]: Custom Action Manager thread ending.
MSI (c) (20:6C) [17:04:35:898]: Back from server. Return value: 1603
MSI (c) (20:6C) [17:04:35:898]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (20:6C) [17:04:35:898]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
Action ended 17:04:35: ExecuteAction. Return value 3

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi Nicolò,

Get-FileHash is a PowerShell cmdlet. You need to start PowerShell first; e.g., by running powershell.exe from the command prompt.

Does the log that was generated mention the file being complained about? If so, could you copy and paste what it says?

Cheers,

- Jo.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...