I was trying to upgrade splunk from 4.1.7 to 4.2 on one of my machines. This machine was only being used as a forwarding (Windows 2008 R2). I stopped the splunk services as suggested in the upgrade guide and tried to install the upgrade. However, I got the error message: Splunk Installer was unable to create Splunk Services. Please make sure that the user running the installer has the correct privileges, including being able to create Windows Services. Exitcode='1'
I do have permissions as I'm logged in as a domain admin. So, I tried uninstalling the old version of splunk so that I could just do a clean install. It uninstalled fine, but got the same error after trying to install the new version. The services are using local system, so there shouldn't be an issue there. The splunk services are still listed in the services.msc. They are stopped and when I try to start them I get the error: Windows could not start the Splunkd service on local computer. Error 2: The system could not find the file specified. Which makes sense because I uninstalled it so splunkd.exe is no longer there.
Oh, and I've tried restarting the server...didn't work.
Any suggestions?? Thanks in advance.
After you removed Splunk Forwarder, you should try and remove those left over splunk services from the service manager manually before you install the new Splunk 4.2 I'm not sure why the 4.1.7 installer is leaving those services behind.
Since you logged in as domain admin, you can delete the services from the command line using:
sc delete splunkd
sc delete splunkweb
Let me know how this works out.
Thanks for the tip! That worked on one of my servers. Unfortunately I have three more that still aren't installing. The services are gone, but now I'm getting the same error above except with the exit code of 7.
Any other suggestions?
It is not working in my case.
win 2008 SP R2
"Splunk installer was unable to
create Splunk Services. Please make sure that the user running the
installer has the correct privileges, including being able to create
Windows services. Exitcode='2'"
yannk, it seems like the user that you're trying to install splunk with doesn't have permissions to create the splunk services. What's your situation? Are you setting Splunk to run as Domain user or Local System user?
Imalhoit, I'm sorry, totally lost track of this answer. Have you been able to upgrade Splunk. In case not, since you're running on a 2k8 server, there should be couple "installer" log files in the %temp% folder. Especially the one that looks like "MSIe570d.log' and then you have the one that looks like "Splunk-108.2.1572.log'
Got it all figured out… In my situation the user tried to install a Forwarder OVER a full Splunk installation, not understanding the process. He had to back out of the install due to errors. The documentation clearly states Important: Do not install the universal forwarder over an existing installation of full Splunk. This resulted in the disappearance of splunkd in the services manager. Upon uninstalling the services as part of a reinstall, even though I was deleting the Splunk services manually they were not being released in memory so I could not overwrite them when I went to do a new install. Whenever I went to reinstall I got the error message: "Splunk Installer was unable to create Splunk Services. Please make sure that the user running the installer has the correct privileges, including being able to create Windows Services. Exitcode='1'". ANSWER: Make sure that the Splunk install folder does not have "read-only" anywhere within its properties. 2. Bounce Splunk after you do an installer uninstall on Windows or you manually delete the services. Windows will not always release the memory. It makes it appear as if its a permission issue which is common on Windows2008 r2 which only exacerbates issues.
I want you to know that I had been racking my brain on this for three days until I finally ran across this post. Even though nearly two years later and version 6.1.6, I hit the EXACT same problem after an error caused the rollback to fail except splunkweb and not splunkd service was causing the error (I believe vince2010091 was alluding to that fact). Splunkweb got deleted leaving only splunkd. Manually deleting the splunkd service via command line and rebooting allowed me to successfully upgrade to v6.1.6.