Getting Data In

I am unable to upgrade Splunk universal forwarder 7.3.3 -> 8.1.3

marcinss
Loves-to-Learn

Hi everyone,

 

I have an issue with upgrade splunk universal forwarder 7.3.3 to 8.1.3 (windows platform).

During our investigation, we found that the problem only occurs on machines that were previously operated by UF 6.5.2.

We tried a few tricks with msi package recache, repair or uninstall, but can't find a solution to install version 8.1.3. No problem going back to version 7.3.3, we do the standard install and everything works fine.

No matter what we do, in the 8.1.3 installation log we still find that the msi installer is finding a previous version of product 6.5.2! (we have work station 7.3.3)

Do you have an idea what we can try to do?

Labels (2)
0 Karma

marcinss
Loves-to-Learn

Have any ideas?
Maybe I can somehow "cut off" information about the previous version during the installation? (we've already cleared the registry of "splunk" info, but maybe we missed something)

0 Karma

gcusello
Legend

Hi @marcinss,

This is usually a problem with windows, even if you want to install in a different folder or drive.

It's strange that you continue to have problems after uninstalling and registry cleaning, , please check again this activity because maybe you forgot something.

Then, you said that you can upgrade to 7.x, what does it happen if you upgrade in two steps 6.x -> 7.x and then 7.x -> 8.x?

Ciao.

Giuseppe

0 Karma

marcinss
Loves-to-Learn

Oh maybe I'm not explaining clearly what our upgrade process looks like.

We haven't been using Universal Forwarder version 6.5.2 for years.

Our scripts uninstall 7.3.3 first, then install 8.1.3. but on a few machines we have a problem.
however, even if installing version 8.1.3 doesn't work, we can install 7.3.3 smoothly

0 Karma

gcusello
Legend

Hi @marcinss,

did you checked the compatibility list of forwarders with operative systems?

the machines with problems ha all the same OS? are there other working machines with the same OS?

For check, see at https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Supported_Operat...

Ciao.

Giuseppe

0 Karma

marcinss
Loves-to-Learn

Yep,

We are on Win 2012R2, 2016 and now we are in the middle of migration from 2012R2 to 2019.

Moving on, we also have a situation where we are trying to install 8.1.3 on Win 2012R2 - it didn't work. We then upgraded a few hosts to Win 2019, but that didn't help either.

0 Karma

gcusello
Legend

Hi @marcinss,

probably the problem is the compatibility between UF 8.x and Windows2012R2.

To be sure, the best approach is to open a case to Splunk Support.

In the meantime, you could maintain UF 7.3.3 on those systems, waiting for the upgrade both of OS and UF.

Ciao.

Giuseppe

0 Karma

gcusello
Legend

Hi @marcinss,

sorry I forgot an addendum: if you continue to have problems, open a case to Splunk Support.

Ciao.

Giuseppe

0 Karma

marcinss
Loves-to-Learn

Hi @gcusello,

in the msi package log We can see that the installer looked for previous product versions and always found only "universal forwarder 6.5.2".

Then we have two options:
- installer finds old msi package (6.5.2) and wants to do something and ends with this error

MSI (s) (80: 1C) [23: 12: 15: 952]: Invoking remote custom action. DLL: C: \ WINDOWS \ Installer \ MSI3E.tmp, entry point: CreateFtrCA
CreateFtr: Warning: Invalid property ignored: FailCA =.
CreateFtr: Error: Cannot create C: \ Program Files \ SplunkUniversalForwarder \ ftr.
CreateFtr: Error 0x80004005: Cannot create ftr.
CustomAction CreateFtr returned real error code 1603


(by the way, I don't know why it goes to the C: drive, during installation we point to the D drive directory 🙂

- when we rename msi package, logs say installer found old version but can't uninstall it.

MSI (s) (D4:B0) [04:41:03:711]: Product: UniversalForwarder -- Error 1714. The older version of UniversalForwarder cannot be removed. Contact your technical support group. System Error 1612.

Error 1714. The older version of UniversalForwarder cannot be removed. Contact your technical support group. System Error 1612.

 
In the same time, there is no issue to install 7.3.3 version

0 Karma

gcusello
Legend

Hi @marcinss,

what does it happen if you delete the old installation and reinstall it by scratch?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...