I have the same issue.

I just opened a support case to see if they have any plan to find a viable solution ([141636])

Kind regards,

I have now tested this with 6.0, and the issue exists there as well.

The key problem here is that during startup the forwarder (both Windows and Linux) do only check whether their old PID exists as a process, but do not check whether that process actually is a Splunk process. As a result, the forwarder believes it already is running if a different process happens to have the old Splunk PID.

I've done some more testing, and 5.0.5 does not fix this issue. Additionally, I've now found precise steps to reproduce, tested under 5.0.1 and 5.0.5:

• Start a UF as a Windows Service
• Kill the process
• Edit the conf-mutator.pid file in /var/run/splunk to change the PID to the PID of an existing process. This simulates that during the UF being down a different process has been assigned its old PID. During system startup the chances for this are considerable.
• Attempt to start the UF service. This will fail with logged events like this: FATAL loader - Timed out waiting for config lock

In the release notes for 5.0.5 I see this entry:

• „Splunk on Windows does not start/restart properly with deployment server, fails with FATAL loader - Timed out waiting for config lock; see splunkd_stderr.log for details. Exiting. (SPL-70075)

This feels similar to my issue, the logged events in case of a start failure are the same. Can anyone confirm this feeling?

Hi martin_mueller

you forgot the third option, increasing the waittokill registry entry in Windows. I did not test it, but maybe this would be a way to go for you.

In HEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control you will find the string WaitToKillServiceTimeout.

If you double click it and then in the > Edit String window, change the > Value data from the default of 12000 (12 seconds) to whatever. (Click OK to save the change).

hope this helps...

cheers, MuS