Getting Data In

Why am I getting error "Universal Forwarder Setup Wizard ended prematurely" trying to install Splunk universal forwarder 6.2 on Windows Server 2012R2?

cam343
Path Finder

Hello,

I am trying to deploy the Splunk universal forward to Win 2012 R2 servers.
Using version : 6.2.0-237341-x64

But it fails instantly with the following message:
Universal forwarder setup wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup wizard again. Click the finish button to exit the setup Wizard.

The MSI log contains the following:

=== Logging started: 21/11/2014  12:42:56 ===
Action 12:42:56: INSTALL. 
Action start 12:42:56: INSTALL.
Action 12:42:56: SetAllUsers. 
Action start 12:42:56: SetAllUsers.
SetAllUsers:  Info: Registry setting for current user is not found.
SetAllUsers:  Info: ALLUSERS value for the existing installation: -1.
SetAllUsers:  Info: Set ALLUSERS property to 1.
SetAllUsers:  Info: Leave SetAllUsers: 0x0.
Action ended 12:42:56: SetAllUsers. Return value 1.
Action 12:42:56: FindRelatedProducts. Searching for related applications
Action start 12:42:56: FindRelatedProducts.
Action ended 12:42:56: FindRelatedProducts. Return value 1.
Action 12:42:56: GetPreviousSettings. 
Action start 12:42:56: GetPreviousSettings.
GetPreviousSettings:  Error: DetermineContextForAllProducts failed witht: 0x65b.
GetPreviousSettings:  Error 0x80004005: Failed to GetInstalledSplunkSettings.
GetPreviousSettings:  Info: Leave GetPreviousSettings: 0x80004005.
CustomAction GetPreviousSettings returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 12:42:57: GetPreviousSettings. Return value 3.
Action 12:42:57: FatalError. 
Action start 12:42:57: FatalError.

Error message is then displayed.

Then the remain log is produced:

Action ended 12:42:59: FatalError. Return value 2.
m created a 'Tahoma' font, in 0 character set, of 13 pixels height.
Info 2898.For WixUI_Font_Bigger textstyle, the system created a 'Tahoma' font, in 0 character set, of 19 pixels height.
Action 12:42:57: FatalError. Dialog created
Action ended 12:42:59: INSTALL. Return value 3.
Property(C): UpgradeCode = {64B13631-6664-4F23-AFE2-98FCE86920BD}
Property(C): SET_ADMIN_USER = 1
Property(C): WixUIRMOption = UseRM
Property(C): _UICertFile = UICertFile
Property(C): _UIRootCertFile = UIRootCertFile
Property(C): _UIMonPath = UIMonPath
Property(C): UIUseLocalSystem = 1
Property(C): UIUseBundledTA = 1
Property(C): _UIWinTAPath = UIWinTAPath
Property(C): WIXUI_INSTALLDIR = INSTALLDIR
Property(C): ALLUSERS = 1
Property(C): ARPNOMODIFY = yes
Property(C): ProgramFiles64Folder = C:\Program Files\
Property(C): SourceDir = C:\Windows\ccmcache\4\
Property(C): Manufacturer = Splunk, Inc.
Property(C): ProductCode = {0C37FA8A-044D-496A-80A2-39AA95A0B56C}
Property(C): ProductLanguage = 1033
Property(C): ProductName = UniversalForwarder
Property(C): ProductVersion = 6.2.0.237341
Property(C): ARPPRODUCTICON = WixSplunkIcon
Property(C): DefaultUIFont = WixUI_Font_Normal
Property(C): WixUI_Mode = InstallDir
Property(C): ErrorDialog = ErrorDlg
Property(C): SplunkSvcName = SplunkForwarder
Property(C): UIShowTADialog = 0
Property(C): UIRecvIdxValid = 0
Property(C): DoNotInstallDrivers = 0
Property(C): SplunkX86Msi = 0
Property(C): UICustomize = 0
Property(C): AGREETOLICENSE = No
Property(C): LAUNCHSPLUNK = 1
Property(C): os_OK = 1
Property(C): MSIRESTARTMANAGERCONTROL = Disable
Property(C): MSIDISABLERMRESTART = 1
Property(C): MSIRMSHUTDOWN = 2
Property(C): LEGACYDRV = 1
Property(C): AdminProperties = AGREETOLICENSE;CERTFILE;CERTPASSWORD;CLONEPREP;DEPLOYMENT_SERVER;DoNotInstallDrivers;ENABLEADMON;FAILCA;FORCEINSTALLDRIVERS;KEEPSPLUNKHOME;LAUNCHSPLUNK;LEGACYDRV;LOGON_PASSWORD;LOGON_USERNAME;MONITOR_PATH;NEWERVERSIONDETECTED;os_OK;OtherSplunkProductsPresent;PERFMON;PREVPRODUCTCODE;RECEIVING_INDEXER;ROOTCACERTFILE;SET_ADMIN_USER;SPLUNKD_PORT;UIAdmon;UIApplicationLog;UICertFile;UICertPassword;UIConfirmCertPassword;UIConfirmDomainPassword;UIDeplSrv;UIDeplSrvPort;UIDomainAccount;UIDomainPassword;UIForwardedEventsLog;UIMonPath;UINoDeplSrvOrIndexer;UIPerfCpu;UIPerfDisk;UIPerfMemory;UIPerfNetstat;UIRecvIdx;UIRecvIdxPort;UIRootCertFile;UISecurityLog;UISetupLog;UISystemLog;UIWinTAPath;WINDOWS_TA_LOCATION;WINDOWS_TA_VERSION;WINEVENTLOG_APP_ENABLE;WINEVENTLOG_FWD_ENABLE;WINEVENTLOG_SEC_ENABLE;WINEVENTLOG_SET_ENABLE;WINEVENTLOG_SYS_ENABLE
Property(C): SecureCustomProperties = ARPNOMODIFY;NEWERVERSIONDETECTED;PREVPRODUCTCODE
Property(C): MsiHiddenProperties = LOGON_PASSWORD;SetupServiceConfig
Property(C): MsiLogFileLocation = c:\temp\splunk.log
Property(C): PackageCode = {E831C453-A05F-46B1-B77A-2FD0420F8735}
Property(C): ProductState = 1
Property(C): CURRENTDIRECTORY = C:\Users\edur01\Desktop
Property(C): CLIENTUILEVEL = 0
Property(C): CLIENTPROCESSID = 4808
Property(C): PRODUCTLANGUAGE = 1033
Property(C): VersionDatabase = 200
Property(C): VersionMsi = 5.00
Property(C): VersionNT = 603
Property(C): VersionNT64 = 603
Property(C): WindowsBuild = 9600
Property(C): ServicePackLevel = 0
Property(C): ServicePackLevelMinor = 0
Property(C): MsiNTProductType = 3
Property(C): WindowsFolder = C:\Windows\
Property(C): WindowsVolume = C:\
Property(C): System64Folder = C:\Windows\system32\
Property(C): SystemFolder = C:\Windows\SysWOW64\
Property(C): TerminalServer = 1
Property(C): TempFolder = C:\Users\edur01\AppData\Local\Temp\
Property(C): ProgramFilesFolder = C:\Program Files (x86)\
Property(C): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(C): CommonFiles64Folder = C:\Program Files\Common Files\
Property(C): AppDataFolder = C:\Users\edur01\AppData\Roaming\
Property(C): FavoritesFolder = C:\Users\edur01\Favorites\
Property(C): NetHoodFolder = C:\Users\edur01\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(C): PersonalFolder = C:\Users\edur01\Documents\
Property(C): PrintHoodFolder = C:\Users\edur01\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(C): RecentFolder = C:\Users\edur01\AppData\Roaming\Microsoft\Windows\Recent\
Property(C): SendToFolder = C:\Users\edur01\AppData\Roaming\Microsoft\Windows\SendTo\
Property(C): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(C): CommonAppDataFolder = C:\ProgramData\
Property(C): LocalAppDataFolder = C:\Users\edur01\AppData\Local\
Property(C): MyPicturesFolder = C:\Users\edur01\Pictures\
Property(C): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(C): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(C): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(C): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(C): DesktopFolder = C:\Users\Public\Desktop\
Property(C): FontsFolder = C:\Windows\Fonts\
Property(C): GPTSupport = 1
Property(C): OLEAdvtSupport = 1
Property(C): ShellAdvtSupport = 1
Property(C): MsiAMD64 = 6
Property(C): Msix64 = 6
Property(C): Intel = 6
Property(C): PhysicalMemory = 6141
Property(C): VirtualMemory = 1760
Property(C): AdminUser = 1
Property(C): MsiTrueAdminUser = 1
Property(C): LogonUser = edur01
Property(C): UserSID = S-1-5-21-4275840501-1099104590-2052170957-2787
Property(C): UserLanguageID = 3081
Property(C): ComputerName = QHORD0102
Property(C): SystemLanguageID = 3081
Property(C): ScreenX = 1152
Property(C): ScreenY = 864
Property(C): CaptionHeight = 23
Property(C): BorderTop = 1
Property(C): BorderSide = 1
Property(C): TextHeight = 16
Property(C): TextInternalLeading = 3
Property(C): ColorBits = 32
Property(C): TTCSupport = 1
Property(C): Time = 12:42:59
Property(C): Date = 21/11/2014
Property(C): MsiNetAssemblySupport = 4.0.30319.33440
Property(C): MsiWin32AssemblySupport = 6.3.9600.16384
Property(C): RedirectedDllSupport = 2
Property(C): MsiRunningElevated = 1
Property(C): Privileged = 1
Property(C): USERNAME = Windows User
Property(C): DATABASE = C:\Windows\ccmcache\4\splunkforwarder.msi
Property(C): OriginalDatabase = C:\Windows\ccmcache\4\splunkforwarder.msi
Property(C): SOURCEDIR = C:\Windows\ccmcache\4\
Property(C): VersionHandler = 5.00
Property(C): UILevel = 5
Property(C): ACTION = INSTALL
Property(C): EXECUTEACTION = INSTALL
=== Logging stopped: 21/11/2014  12:42:59 ===

Trying to install the 6.1.3 forwarder looks more promising (doesn't fail near instantly, but then errors out saying a newer version is already installed. (which is not true)

Any help is appreciated.

dcloes
Engager

The solution for me was to uninstall a previous version. I was attempting to install 6.6.3 when 6.3.3. was installed.

Uninstalled 6.3.3 and it immediately worked. Crappy installer.

0 Karma

rovechkin
Explorer

it looks like the error is
GetPreviousSettings: Error: DetermineContextForAllProducts failed witht: 0x65b.

Apparently you have some products on the machine which failed to be installed or uninstalled properly. The Splunk installer will attempt to find other Splunk instances on the machine, thus it needs to enumerate installed products. If it fails to read installer database in the registry, the installation fails because it cannot determine if previous Splunk product is installed (this is need to properly upgrade Splunk).

I would recommend trying to clean up installation database. For example this utility may help:
http://support.microsoft.com/KB/290301,

Ellen
Splunk Employee
Splunk Employee

This references a known issue:
SPL-95121, SPL-93893 - Splunk 6.2 installer fails if msi database on the machine is partially corruputed. MSI log will contain the message:
GetPreviousSettings: Error: DetermineContextForAllProducts failed witht: 0x65b.

This is expected to be fixed beyond 6.2.2

bhsakarchourasi
Path Finder

Hi All,

Sorry for adding comment on old Post.

Unfortunately I am also getting this error while installing version 7.2. same version was installed but while restarting the service it was giving error then I decided to reinstall the forwarder but now ended up with this error.

Can someone please help.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

0x80004005 (which is the error code in your initial log leading to the failure) is "Access Denied" - it generally means that the user that is attempting to run the installer does not have permission to read the registry for the settings. Quite why that is happening is unclear, and could be a bunch of things - including a failed (further on) install leaving a corrupted registry, running the installer as a non-Administrator, or any number of other things.

Unfortunately, that's not enough to repair the situation. Maybe now you have installed the 6.1.3 version, you can re-try and see if it works.

cam343
Path Finder

I have managed to install version 6.1.3 successfully.

I needed to remove the following registry key (and sub keys):
HKEY_CLASSES_ROOT\Installer\Products\A8AF73C0D440A694082A93AA590A5BC6

For the 'downgrade' to work...

Still interested to know why I can't install version 6.2.0 Universal Forwarder

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...