Getting Data In
Highlighted

Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

Engager

I am trying to upgrade the collectors on a few Windows Servers because I had a security come back saying my version had some issues. The readme in program files says I have Splunk 5.0.3.

I am trying to install 6.4 64-bit.

I am receiving a general error saying the setup ended prematurely and everything was rolled back. This is happening on every server I have attempted to far.

0 Karma
Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

Splunk Employee
Splunk Employee

What user are you running the installation as?

0 Karma
Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

SplunkTrust
SplunkTrust

As Chris is getting to, the user must have the ability to write to the program files folder and do other things too.

0 Karma
Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

Engager

I am running it as myself who has admin privileges. I have also tried running it as the domain admin.

0 Karma
Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

SplunkTrust
SplunkTrust

Please check your windows event logs for the error and give us the error details you're getting. start->run->eventvwr.msc [ok/enter]

I believe it will fall under system or application logs.

0 Karma
Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

Engager

I am seeing no error just informationals. The last one being - Ending a Windows Installer transaction: C:\Users\rpearson\Desktop\splunkforwarder-6.4.0-f2c836328108-x64-release.msi. Client Process Id: 3096.

0 Karma
Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

Splunk Employee
Splunk Employee

Upgrading from 5.0.X to 6.4.X is not officially supported, I believe you will need to upgrade in a step-process. See the following link for more info, scroll down on the page to the "Upgrade from..." sections:

http://docs.splunk.com/Documentation/Splunk/6.4.0/Installation/HowtoupgradeSplunk

Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

SplunkTrust
SplunkTrust

Also, run the install in administrative mode.

Depending on the exact flavor of Windows, you might have to right-click it and "Run as administrator". If that doesn't work, click start, type cmd but instead of pressing enter or clicking it, RIGHT click it and select Run as administrator. From there launch your installer (e.g. if it's in the root of c:\, then type msiexec /i c:\splunkuniversalforwader-6.4.blah.msi though of course you can type msiexec /i c:\splun<tab key> to make life easier.)

Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

Engager

This also is not not working. What I had to do was remove every Registry entry with splunk in it and remove the splunk directory. Reboot and then the install happens just fine. This worked on all 6 servers I was trying it on.

0 Karma
Highlighted

Re: Trying to upgrade Windows universal forwarders from Splunk 5.0.3 to 6.4, why am I getting error "Wizard Ended Prematurely"?

SplunkTrust
SplunkTrust

AH! Do you have SCCM in your environment? There is a bug in the installer for the UF in all 6.3.x versions which gobs up your registry when you attempt a silent install via SCCM (and it could affect other scenarios as well - if yours had nothing ever to do with SCCM or silent installs, please let us know!).

What I found as a resolution that's at least slightly less annoying is to (and this is MUCH abbreviated, if it doesn't work for you drop a line here and I can give more detail on some parts):

*TEST THIS CAREFULLY, treat it as "free internet help for my complex problem" e.g. be very careful. And no warranties! *

Open up the registry key

[HKEY_CLASSES_ROOT\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB]

Record the keys it has listed under it.

"FC94181CE1B8D094287835AC8D72EBB6"=""
"E59ED7ED18A676D4D942E4E5BE369938"=""

Those were the ones in my case, yours may differ. Those three values you'll want to find as keys and delete out of

[HKEY_CLASSES_ROOT\Installer\Products
[HKEY_CLASSES_ROOT\Installer\Features

The "Products" section can obviously be tied back to the Splunk Universal Forwarder (says so in the "ProductName" value). The "Features" section is a little less obvious. What I've been seeing is two of the three keys exist with stubs or nothing identifiable (or even interesting).

Once you have identified those on a few systems, as long as they're pretty predictable, you could create a batch file like:

@echo off
dir "C:\Program files\splunk*"
IF %ERRORLEVEL%==0 GOTO EXISTS

REG DELETE HKCR\Installer\Features\E59ED7ED18A676D4D942E4E5BE369938 /f
REG DELETE HKCR\Installer\Features\FC94181CE1B8D094287835AC8D72EBB6 /f
REG DELETE HKCR\Installer\Products\E59ED7ED18A676D4D942E4E5BE369938 /f
REG DELETE HKCR\Installer\Products\FC94181CE1B8D094287835AC8D72EBB6 /f
REG DELETE HKCR\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB /f

GOTO END
:EXISTS
ECHO No changes made: UF exists

:END

If you save that as "regclear.cmd", you could then run it (TEST THIS A LOT!) on a remote system with one of the sysinternals utilities "psexec", like

psexec \\myComputerName -c -s -h regclear.cmd

When you are happy it doesn't borken up other things, you can generate a list of the remaining servers and save them in a file and do them all at once by using an alternative syntax

psexec @systems.txt -c -s -h regclear.cmd

Or, for simpler environments, just save the regclear.cmd somewhere accessible from all the systems, log into them and run it once.

HOpefully this will save you time and effort.

And reply back about SCCM! We thought (well, I thought, I'm not positive what Splunk knows in addition to that) it was an SCCM silent install issue only, but it's possible it could affect other types of installs.

0 Karma