Getting Data In

How do I FULLY uninstall Splunk Universal Forwarder

cutright_jm
New Member

I'm running Splunk Universal Forwarder with a Splunk Enterprise deployment. On a new install, all information is populating correctly into the Splunk App for Windows Infrastructure, including the Windows Update history. However, for forwarders that previously had Splunk installed from the last Enterprise installation, this information is not being reported to the indexer.

The apps are deploying correctly, and are receiving information, but are missing this tidbit (and maybe a few others, I have not dug in too much yet). What I have done is uninstalled the Unifersal Forwarder 6.6.4 both through the Control Panel and by right clicking on the Installer. However, in both of these circumstances a lot of registry keys mentioning "Splunk" and "UniversalForwarder" are left over. I believe one of these keys is the culprit to my installation problems.

Does anyone have a suggestion as how to completely remove Splunk keys from the registry upon uninstalling?

0 Karma

Richfez
SplunkTrust
SplunkTrust

I don't suspect the registry keys are at fault - usually registry keys left around will cause you to not be able to reinstall at all.

So the first thing I'd check is after uninstalling just make sure your C:\Program Files\SplunkUniversalForwarder\ folder is empty. Or delete that folder itself. Your configuration for what Splunk does comes from the etc folder inside there, so making sure it's empty means the new install has no knowledge of the old things it used to do.

(Unless, perhaps, they're being re-pushed with a deployment server or something, and on the newly set up ones you haven't configured the DS so they don't get those configurations!)

If that is indeed empty, then ... well, I'm pretty sure the registry settings still aren't the case, but I can tell you how to test if it is.

On one of those systems, open up the registry key [HKEY_CLASSES_ROOT\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB] and record the keys it has listed under it. As an example, here's a few from MY environment (when i was having a problem a year or so ago).

"FC94181CE1B8D094287835AC8D72EBB6"=""
"F7079B7DE246D224186FD72DDF2AA906"=""
"E59ED7ED18A676D4D942E4E5BE369938"=""

Now browse to the following two locations and remove those from there.

[HKEY_CLASSES_ROOT\Installer\Products
[HKEY_CLASSES_ROOT\Installer\Features

If you look inside whichever keys you have on your system, you'll see they're either empty or they contain splunk-like stuff.

OBVIOUSLY be careful, make backups of your registry, yadda yadda yadda. Your mileage may vary, and I can't be held responsible for anything untoward that happens. Registry editing is not for the faint of heart (though I've been doing it for ages and never had a problem, but then again maybe that's just because I have a light touch? 🙂 )

If you can then install the UF, and let it sit for a while and it works right, great.

If not, reply back with your findings!

GingerM
Engager

Brilliant!

Used this twice now and it worked each time, with the 2nd host I had to remove the UpgradeCodes entry as well.

0 Karma

triptraptresko
Explorer

I actually had to delete the registry keys, in order to install UF again.

0 Karma

triptraptresko
Explorer

Thank you @Richfez, worked flawlessly!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...