Getting Data In

Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

krellinst
Engager

I am trying to upgrade the collectors on a few Windows Servers because I had a security come back saying my version had some issues. The readme in program files says I have Splunk 5.0.3.

I am trying to install 6.4 64-bit.

I am receiving a general error saying the setup ended prematurely and everything was rolled back. This is happening on every server I have attempted to far.

0 Karma

reswob4
Builder

RE:

krellinst  rich7177 ♦ · Apr 22 at 12:03 PM  
This also is not not working. What I had to do was remove every Registry entry with splunk in it and remove the splunk directory. Reboot and then the install happens just fine. This worked on all 6 servers I was trying it on.

Hunh.... I repeated the install without doing the removal and the second time it said it completed successfully. But now I am having other problems.

I will try your suggestion.

0 Karma

afret2007
Path Finder

krellinst ,
I had to do the exact process that employed back last year when I went from 5.0.3 to 6.1.3. The worst was having to do it for the 300 v5.0.3 forwarders we had installed. Seems upgrading from 5.x to 6.0 was good for most but if you went from 5.x to 6.1.0 or higher this issue would present itself. I wish I had come across this question earlier for I could of saved you a couple of weeks of headaches by given you the exact process you ended up employing.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

What user are you running the installation as?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Also, run the install in administrative mode.

Depending on the exact flavor of Windows, you might have to right-click it and "Run as administrator". If that doesn't work, click start, type cmd but instead of pressing enter or clicking it, RIGHT click it and select Run as administrator. From there launch your installer (e.g. if it's in the root of c:\, then type msiexec /i c:\splunkuniversalforwader-6.4.blah.msi though of course you can type msiexec /i c:\splun<tab key> to make life easier.)

krellinst
Engager

This also is not not working. What I had to do was remove every Registry entry with splunk in it and remove the splunk directory. Reboot and then the install happens just fine. This worked on all 6 servers I was trying it on.

0 Karma

Richfez
SplunkTrust
SplunkTrust

AH! Do you have SCCM in your environment? There is a bug in the installer for the UF in all 6.3.x versions which gobs up your registry when you attempt a silent install via SCCM (and it could affect other scenarios as well - if yours had nothing ever to do with SCCM or silent installs, please let us know!).

What I found as a resolution that's at least slightly less annoying is to (and this is MUCH abbreviated, if it doesn't work for you drop a line here and I can give more detail on some parts):

*TEST THIS CAREFULLY, treat it as "free internet help for my complex problem" e.g. be very careful. And no warranties! *

Open up the registry key

[HKEY_CLASSES_ROOT\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB]

Record the keys it has listed under it.

"FC94181CE1B8D094287835AC8D72EBB6"=""
"E59ED7ED18A676D4D942E4E5BE369938"=""

Those were the ones in my case, yours may differ. Those three values you'll want to find as keys and delete out of

[HKEY_CLASSES_ROOT\Installer\Products
[HKEY_CLASSES_ROOT\Installer\Features

The "Products" section can obviously be tied back to the Splunk Universal Forwarder (says so in the "ProductName" value). The "Features" section is a little less obvious. What I've been seeing is two of the three keys exist with stubs or nothing identifiable (or even interesting).

Once you have identified those on a few systems, as long as they're pretty predictable, you could create a batch file like:

@echo off
dir "C:\Program files\splunk*"
IF %ERRORLEVEL%==0 GOTO EXISTS

REG DELETE HKCR\Installer\Features\E59ED7ED18A676D4D942E4E5BE369938 /f
REG DELETE HKCR\Installer\Features\FC94181CE1B8D094287835AC8D72EBB6 /f
REG DELETE HKCR\Installer\Products\E59ED7ED18A676D4D942E4E5BE369938 /f
REG DELETE HKCR\Installer\Products\FC94181CE1B8D094287835AC8D72EBB6 /f
REG DELETE HKCR\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB /f

GOTO END
:EXISTS
ECHO No changes made: UF exists

:END

If you save that as "regclear.cmd", you could then run it (TEST THIS A LOT!) on a remote system with one of the sysinternals utilities "psexec", like

psexec \\myComputerName -c -s -h regclear.cmd

When you are happy it doesn't borken up other things, you can generate a list of the remaining servers and save them in a file and do them all at once by using an alternative syntax

psexec @systems.txt -c -s -h regclear.cmd

Or, for simpler environments, just save the regclear.cmd somewhere accessible from all the systems, log into them and run it once.

HOpefully this will save you time and effort.

And reply back about SCCM! We thought (well, I thought, I'm not positive what Splunk knows in addition to that) it was an SCCM silent install issue only, but it's possible it could affect other types of installs.

0 Karma

jkat54
SplunkTrust
SplunkTrust

As Chris is getting to, the user must have the ability to write to the program files folder and do other things too.

0 Karma

krellinst
Engager

I am running it as myself who has admin privileges. I have also tried running it as the domain admin.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Please check your windows event logs for the error and give us the error details you're getting. start->run->eventvwr.msc [ok/enter]

I believe it will fall under system or application logs.

0 Karma

krellinst
Engager

I am seeing no error just informationals. The last one being - Ending a Windows Installer transaction: C:\Users\rpearson\Desktop\splunkforwarder-6.4.0-f2c836328108-x64-release.msi. Client Process Id: 3096.

0 Karma

jbailey_splunk
Splunk Employee
Splunk Employee

Upgrading from 5.0.X to 6.4.X is not officially supported, I believe you will need to upgrade in a step-process. See the following link for more info, scroll down on the page to the "Upgrade from..." sections:

http://docs.splunk.com/Documentation/Splunk/6.4.0/Installation/HowtoupgradeSplunk

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...