Re: Uninstall universal forwarder error: "Splunk I...

maroex77 · ‎12-21-2017

I am trying to uninstall Universal Forwarder 6.1.3 and it gives me an error "Splunk Installer was unable to enable event log monitoring. Splunk exitcode='1'". Does anyone know how to fix this so i can remove and update to the new version?

risgupta · ‎01-02-2018

Try to check if the PID file is existing for the splunk at the location $SPLUNK_HOME/var/run/splunk/.

if there it is, then you can remove that file and then you can delete the entire splunk. If this still does not help you, then you might need to remove the registry settings for the splunk from HKEY_LOCAL for the windows machine.

Let me know how it goes.

nikita_p · ‎01-02-2018

Hi @maroex77,
Did you specify a destination indexer IP with port 9997.
In the service manager you should verify that the user name and password are correct. You should use the domain\username format for the username.

p_gurav · ‎01-02-2018

Hi maroex77,

Please follow steps in below link to upgrade your splunk according to your system OS:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Installation/HowtoupgradeSplunk

Uninstall universal forwarder error: "Splunk Installer was unable to enable event log monitoring. Splunk exitcode='1'"

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation