I'm running Splunk Universal Forwarder with a Splunk Enterprise deployment. On a new install, all information is populating correctly into the Splunk App for Windows Infrastructure, including the Windows Update history. However, for forwarders that previously had Splunk installed from the last Enterprise installation, this information is not being reported to the indexer.
The apps are deploying correctly, and are receiving information, but are missing this tidbit (and maybe a few others, I have not dug in too much yet). What I have done is uninstalled the Unifersal Forwarder 6.6.4 both through the Control Panel and by right clicking on the Installer. However, in both of these circumstances a lot of registry keys mentioning "Splunk" and "UniversalForwarder" are left over. I believe one of these keys is the culprit to my installation problems.
Does anyone have a suggestion as how to completely remove Splunk keys from the registry upon uninstalling?
I don't suspect the registry keys are at fault - usually registry keys left around will cause you to not be able to reinstall at all.
So the first thing I'd check is after uninstalling just make sure your C:\Program Files\SplunkUniversalForwarder\ folder is empty. Or delete that folder itself. Your configuration for what Splunk does comes from the etc folder inside there, so making sure it's empty means the new install has no knowledge of the old things it used to do.
(Unless, perhaps, they're being re-pushed with a deployment server or something, and on the newly set up ones you haven't configured the DS so they don't get those configurations!)
If that is indeed empty, then ... well, I'm pretty sure the registry settings still aren't the case, but I can tell you how to test if it is.
On one of those systems, open up the registry key [HKEY_CLASSES_ROOT\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB]
and record the keys it has listed under it. As an example, here's a few from MY environment (when i was having a problem a year or so ago).
"FC94181CE1B8D094287835AC8D72EBB6"=""
"F7079B7DE246D224186FD72DDF2AA906"=""
"E59ED7ED18A676D4D942E4E5BE369938"=""
Now browse to the following two locations and remove those from there.
[HKEY_CLASSES_ROOT\Installer\Products
[HKEY_CLASSES_ROOT\Installer\Features
If you look inside whichever keys you have on your system, you'll see they're either empty or they contain splunk-like stuff.
OBVIOUSLY be careful, make backups of your registry, yadda yadda yadda. Your mileage may vary, and I can't be held responsible for anything untoward that happens. Registry editing is not for the faint of heart (though I've been doing it for ages and never had a problem, but then again maybe that's just because I have a light touch? 🙂 )
If you can then install the UF, and let it sit for a while and it works right, great.
If not, reply back with your findings!
Brilliant!
Used this twice now and it worked each time, with the 2nd host I had to remove the UpgradeCodes entry as well.
I actually had to delete the registry keys, in order to install UF again.
Thank you @Richfez, worked flawlessly!