I am trying to upgrade the collectors on a few Windows Servers because I had a security come back saying my version had some issues. The readme in program files says I have Splunk 5.0.3.
I am trying to install 6.4 64-bit.
I am receiving a general error saying the setup ended prematurely and everything was rolled back. This is happening on every server I have attempted to far.
As Chris is getting to, the user must have the ability to write to the program files folder and do other things too.
I am running it as myself who has admin privileges. I have also tried running it as the domain admin.
Please check your windows event logs for the error and give us the error details you're getting. start->run->eventvwr.msc [ok/enter]
I believe it will fall under system or application logs.
I am seeing no error just informationals. The last one being - Ending a Windows Installer transaction: C:\Users\rpearson\Desktop\splunkforwarder-6.4.0-f2c836328108-x64-release.msi. Client Process Id: 3096.
Upgrading from 5.0.X to 6.4.X is not officially supported, I believe you will need to upgrade in a step-process. See the following link for more info, scroll down on the page to the "Upgrade from..." sections:
Also, run the install in administrative mode.
Depending on the exact flavor of Windows, you might have to right-click it and "Run as administrator". If that doesn't work, click start, type cmd but instead of pressing enter or clicking it, RIGHT click it and select Run as administrator. From there launch your installer (e.g. if it's in the root of c:\, then type
msiexec /i c:\splunkuniversalforwader-6.4.blah.msi though of course you can type
msiexec /i c:\splun<tab key> to make life easier.)
This also is not not working. What I had to do was remove every Registry entry with splunk in it and remove the splunk directory. Reboot and then the install happens just fine. This worked on all 6 servers I was trying it on.
AH! Do you have SCCM in your environment? There is a bug in the installer for the UF in all 6.3.x versions which gobs up your registry when you attempt a silent install via SCCM (and it could affect other scenarios as well - if yours had nothing ever to do with SCCM or silent installs, please let us know!).
What I found as a resolution that's at least slightly less annoying is to (and this is MUCH abbreviated, if it doesn't work for you drop a line here and I can give more detail on some parts):
*TEST THIS CAREFULLY, treat it as "free internet help for my complex problem" e.g. be very careful. And no warranties! *
Open up the registry key
Record the keys it has listed under it.
Those were the ones in my case, yours may differ. Those three values you'll want to find as keys and delete out of
The "Products" section can obviously be tied back to the Splunk Universal Forwarder (says so in the "ProductName" value). The "Features" section is a little less obvious. What I've been seeing is two of the three keys exist with stubs or nothing identifiable (or even interesting).
Once you have identified those on a few systems, as long as they're pretty predictable, you could create a batch file like:
@echo off dir "C:\Program files\splunk*" IF %ERRORLEVEL%==0 GOTO EXISTS REG DELETE HKCR\Installer\Features\E59ED7ED18A676D4D942E4E5BE369938 /f REG DELETE HKCR\Installer\Features\FC94181CE1B8D094287835AC8D72EBB6 /f REG DELETE HKCR\Installer\Products\E59ED7ED18A676D4D942E4E5BE369938 /f REG DELETE HKCR\Installer\Products\FC94181CE1B8D094287835AC8D72EBB6 /f REG DELETE HKCR\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB /f GOTO END :EXISTS ECHO No changes made: UF exists :END
If you save that as "regclear.cmd", you could then run it (TEST THIS A LOT!) on a remote system with one of the sysinternals utilities "psexec", like
psexec \\myComputerName -c -s -h regclear.cmd
When you are happy it doesn't borken up other things, you can generate a list of the remaining servers and save them in a file and do them all at once by using an alternative syntax
psexec @systems.txt -c -s -h regclear.cmd
Or, for simpler environments, just save the regclear.cmd somewhere accessible from all the systems, log into them and run it once.
HOpefully this will save you time and effort.
And reply back about SCCM! We thought (well, I thought, I'm not positive what Splunk knows in addition to that) it was an SCCM silent install issue only, but it's possible it could affect other types of installs.