Getting Data In

How do I FULLY uninstall Splunk Universal Forwarder

cutright_jm
New Member

I'm running Splunk Universal Forwarder with a Splunk Enterprise deployment. On a new install, all information is populating correctly into the Splunk App for Windows Infrastructure, including the Windows Update history. However, for forwarders that previously had Splunk installed from the last Enterprise installation, this information is not being reported to the indexer.

The apps are deploying correctly, and are receiving information, but are missing this tidbit (and maybe a few others, I have not dug in too much yet). What I have done is uninstalled the Unifersal Forwarder 6.6.4 both through the Control Panel and by right clicking on the Installer. However, in both of these circumstances a lot of registry keys mentioning "Splunk" and "UniversalForwarder" are left over. I believe one of these keys is the culprit to my installation problems.

Does anyone have a suggestion as how to completely remove Splunk keys from the registry upon uninstalling?

0 Karma

Richfez
SplunkTrust
SplunkTrust

I don't suspect the registry keys are at fault - usually registry keys left around will cause you to not be able to reinstall at all.

So the first thing I'd check is after uninstalling just make sure your C:\Program Files\SplunkUniversalForwarder\ folder is empty. Or delete that folder itself. Your configuration for what Splunk does comes from the etc folder inside there, so making sure it's empty means the new install has no knowledge of the old things it used to do.

(Unless, perhaps, they're being re-pushed with a deployment server or something, and on the newly set up ones you haven't configured the DS so they don't get those configurations!)

If that is indeed empty, then ... well, I'm pretty sure the registry settings still aren't the case, but I can tell you how to test if it is.

On one of those systems, open up the registry key [HKEY_CLASSES_ROOT\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB] and record the keys it has listed under it. As an example, here's a few from MY environment (when i was having a problem a year or so ago).

"FC94181CE1B8D094287835AC8D72EBB6"=""
"F7079B7DE246D224186FD72DDF2AA906"=""
"E59ED7ED18A676D4D942E4E5BE369938"=""

Now browse to the following two locations and remove those from there.

[HKEY_CLASSES_ROOT\Installer\Products
[HKEY_CLASSES_ROOT\Installer\Features

If you look inside whichever keys you have on your system, you'll see they're either empty or they contain splunk-like stuff.

OBVIOUSLY be careful, make backups of your registry, yadda yadda yadda. Your mileage may vary, and I can't be held responsible for anything untoward that happens. Registry editing is not for the faint of heart (though I've been doing it for ages and never had a problem, but then again maybe that's just because I have a light touch? 🙂 )

If you can then install the UF, and let it sit for a while and it works right, great.

If not, reply back with your findings!

GingerM
Engager

Brilliant!

Used this twice now and it worked each time, with the 2nd host I had to remove the UpgradeCodes entry as well.

0 Karma

triptraptresko
Explorer

I actually had to delete the registry keys, in order to install UF again.

0 Karma

triptraptresko
Explorer

Thank you @Richfez, worked flawlessly!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...