Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Installer was unable to create Splunk Services

lmalhoit
Explorer
‎03-15-2011 08:39 PM

I was trying to upgrade splunk from 4.1.7 to 4.2 on one of my machines. This machine was only being used as a forwarding (Windows 2008 R2). I stopped the splunk services as suggested in the upgrade guide and tried to install the upgrade. However, I got the error message: Splunk Installer was unable to create Splunk Services. Please make sure that the user running the installer has the correct privileges, including being able to create Windows Services. Exitcode='1'

I do have permissions as I'm logged in as a domain admin. So, I tried uninstalling the old version of splunk so that I could just do a clean install. It uninstalled fine, but got the same error after trying to install the new version. The services are using local system, so there shouldn't be an issue there. The splunk services are still listed in the services.msc. They are stopped and when I try to start them I get the error: Windows could not start the Splunkd service on local computer. Error 2: The system could not find the file specified. Which makes sense because I uninstalled it so splunkd.exe is no longer there.

Oh, and I've tried restarting the server...didn't work.

Any suggestions?? Thanks in advance.

Reply

vince2010091
Path Finder
‎09-25-2014 09:00 AM

Be careful, sometimes the service is named: "Splunkweb Service" so use :

sc delete Splunkweb Service

Reply

khutchinson_spl
Splunk Employee
Splunk Employee
‎04-09-2013 01:59 PM

Got it all figured out… In my situation the user tried to install a Forwarder OVER a full Splunk installation, not understanding the process. He had to back out of the install due to errors. The documentation clearly states Important: Do not install the universal forwarder over an existing installation of full Splunk. This resulted in the disappearance of splunkd in the services manager. Upon uninstalling the services as part of a reinstall, even though I was deleting the Splunk services manually they were not being released in memory so I could not overwrite them when I went to do a new install. Whenever I went to reinstall I got the error message: "Splunk Installer was unable to create Splunk Services. Please make sure that the user running the installer has the correct privileges, including being able to create Windows Services. Exitcode='1'". ANSWER: Make sure that the Splunk install folder does not have "read-only" anywhere within its properties. 2. Bounce Splunk after you do an installer uninstall on Windows or you manually delete the services. Windows will not always release the memory. It makes it appear as if its a permission issue which is common on Windows2008 r2 which only exacerbates issues.

Reply

afret2007
Path Finder
‎01-28-2015 07:13 AM

khutchinson_splunk,

I want you to know that I had been racking my brain on this for three days until I finally ran across this post. Even though nearly two years later and version 6.1.6, I hit the EXACT same problem after an error caused the rollback to fail except splunkweb and not splunkd service was causing the error (I believe vince2010091 was alluding to that fact). Splunkweb got deleted leaving only splunkd. Manually deleting the splunkd service via command line and rebooting allowed me to successfully upgrade to v6.1.6.

0 Karma
Reply

kphillipson
Path Finder
‎09-03-2013 09:35 AM

Found the easiest way to add or remove the services is to run "splunk enable boot-start" or "splunk disable boot-start"

0 Karma
Reply

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-16-2011 02:51 PM

Imalhoit,

After you removed Splunk Forwarder, you should try and remove those left over splunk services from the service manager manually before you install the new Splunk 4.2 I'm not sure why the 4.1.7 installer is leaving those services behind.

Since you logged in as domain admin, you can delete the services from the command line using:

sc delete splunkd
sc delete splunkweb

Let me know how this works out.

Cheers,
Ledio

Reply

Ledio_Ago
Splunk Employee
Splunk Employee
‎04-25-2011 09:24 AM

Imalhoit, I'm sorry, totally lost track of this answer. Have you been able to upgrade Splunk. In case not, since you're running on a 2k8 server, there should be couple "installer" log files in the %temp% folder. Especially the one that looks like "MSIe570d.log' and then you have the one that looks like "Splunk-108.2.1572.log'

Thanks,
Ledio

0 Karma
Reply

Ledio_Ago
Splunk Employee
Splunk Employee
‎04-25-2011 09:16 AM

yannk, it seems like the user that you're trying to install splunk with doesn't have permissions to create the splunk services. What's your situation? Are you setting Splunk to run as Domain user or Local System user?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-22-2011 12:53 PM

It is not working in my case.
win 2008 SP R2
"Splunk installer was unable to
create Splunk Services. Please make sure that the user running the
installer has the correct privileges, including being able to create
Windows services. Exitcode='2'"

0 Karma
Reply

lmalhoit
Explorer
‎03-17-2011 01:58 PM

Ledio,
Thanks for the tip! That worked on one of my servers. Unfortunately I have three more that still aren't installing. The services are gone, but now I'm getting the same error above except with the exit code of 7.

Any other suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...