I am trying to upgrade the collectors on a few Windows Servers because I had a security come back saying my version had some issues. The readme in program files says I have Splunk 5.0.3.
I am trying to install 6.4 64-bit.
I am receiving a general error saying the setup ended prematurely and everything was rolled back. This is happening on every server I have attempted to far.
RE:
krellinst rich7177 ♦ · Apr 22 at 12:03 PM
This also is not not working. What I had to do was remove every Registry entry with splunk in it and remove the splunk directory. Reboot and then the install happens just fine. This worked on all 6 servers I was trying it on.
Hunh.... I repeated the install without doing the removal and the second time it said it completed successfully. But now I am having other problems.
I will try your suggestion.
krellinst ,
I had to do the exact process that employed back last year when I went from 5.0.3 to 6.1.3. The worst was having to do it for the 300 v5.0.3 forwarders we had installed. Seems upgrading from 5.x to 6.0 was good for most but if you went from 5.x to 6.1.0 or higher this issue would present itself. I wish I had come across this question earlier for I could of saved you a couple of weeks of headaches by given you the exact process you ended up employing.
What user are you running the installation as?
Also, run the install in administrative mode.
Depending on the exact flavor of Windows, you might have to right-click it and "Run as administrator". If that doesn't work, click start, type cmd but instead of pressing enter or clicking it, RIGHT click it and select Run as administrator. From there launch your installer (e.g. if it's in the root of c:\, then type msiexec /i c:\splunkuniversalforwader-6.4.blah.msi
though of course you can type msiexec /i c:\splun<tab key>
to make life easier.)
This also is not not working. What I had to do was remove every Registry entry with splunk in it and remove the splunk directory. Reboot and then the install happens just fine. This worked on all 6 servers I was trying it on.
AH! Do you have SCCM in your environment? There is a bug in the installer for the UF in all 6.3.x versions which gobs up your registry when you attempt a silent install via SCCM (and it could affect other scenarios as well - if yours had nothing ever to do with SCCM or silent installs, please let us know!).
What I found as a resolution that's at least slightly less annoying is to (and this is MUCH abbreviated, if it doesn't work for you drop a line here and I can give more detail on some parts):
*TEST THIS CAREFULLY, treat it as "free internet help for my complex problem" e.g. be very careful. And no warranties! *
Open up the registry key
[HKEY_CLASSES_ROOT\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB]
Record the keys it has listed under it.
"FC94181CE1B8D094287835AC8D72EBB6"=""
"E59ED7ED18A676D4D942E4E5BE369938"=""
Those were the ones in my case, yours may differ. Those three values you'll want to find as keys and delete out of
[HKEY_CLASSES_ROOT\Installer\Products
[HKEY_CLASSES_ROOT\Installer\Features
The "Products" section can obviously be tied back to the Splunk Universal Forwarder (says so in the "ProductName" value). The "Features" section is a little less obvious. What I've been seeing is two of the three keys exist with stubs or nothing identifiable (or even interesting).
Once you have identified those on a few systems, as long as they're pretty predictable, you could create a batch file like:
@echo off
dir "C:\Program files\splunk*"
IF %ERRORLEVEL%==0 GOTO EXISTS
REG DELETE HKCR\Installer\Features\E59ED7ED18A676D4D942E4E5BE369938 /f
REG DELETE HKCR\Installer\Features\FC94181CE1B8D094287835AC8D72EBB6 /f
REG DELETE HKCR\Installer\Products\E59ED7ED18A676D4D942E4E5BE369938 /f
REG DELETE HKCR\Installer\Products\FC94181CE1B8D094287835AC8D72EBB6 /f
REG DELETE HKCR\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB /f
GOTO END
:EXISTS
ECHO No changes made: UF exists
:END
If you save that as "regclear.cmd", you could then run it (TEST THIS A LOT!) on a remote system with one of the sysinternals utilities "psexec", like
psexec \\myComputerName -c -s -h regclear.cmd
When you are happy it doesn't borken up other things, you can generate a list of the remaining servers and save them in a file and do them all at once by using an alternative syntax
psexec @systems.txt -c -s -h regclear.cmd
Or, for simpler environments, just save the regclear.cmd somewhere accessible from all the systems, log into them and run it once.
HOpefully this will save you time and effort.
And reply back about SCCM! We thought (well, I thought, I'm not positive what Splunk knows in addition to that) it was an SCCM silent install issue only, but it's possible it could affect other types of installs.
As Chris is getting to, the user must have the ability to write to the program files folder and do other things too.
I am running it as myself who has admin privileges. I have also tried running it as the domain admin.
Please check your windows event logs for the error and give us the error details you're getting. start->run->eventvwr.msc [ok/enter]
I believe it will fall under system or application logs.
I am seeing no error just informationals. The last one being - Ending a Windows Installer transaction: C:\Users\rpearson\Desktop\splunkforwarder-6.4.0-f2c836328108-x64-release.msi. Client Process Id: 3096.
Upgrading from 5.0.X to 6.4.X is not officially supported, I believe you will need to upgrade in a step-process. See the following link for more info, scroll down on the page to the "Upgrade from..." sections:
http://docs.splunk.com/Documentation/Splunk/6.4.0/Installation/HowtoupgradeSplunk