Getting Data In

Why am I unable to install Splunk universal forwarder on Windows server 2012 R2?

Explorer

Hi

Unable to install Splunk universal forwarder on Windows server 2012 R2, please help to solve this issue.

Logs

04-04-2017 21:49:01.089 +0530 INFO  ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now.
04-04-2017 21:49:01.089 +0530 INFO  ServerConfig - Host name option is "".
04-04-2017 21:49:03.538 +0530 INFO  loader - Running utility: "check-transforms-keys"
04-04-2017 21:49:03.538 +0530 INFO  loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
04-04-2017 21:49:03.538 +0530 INFO  loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:03.538 +0530 INFO  loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:03.553 +0530 INFO  loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
04-04-2017 21:49:05.363 +0530 INFO  loader - Splunkd starting (build 67571ef4b87d).
04-04-2017 21:49:05.363 +0530 INFO  loader - System info: Windows, TSMSRV2, 2, 6, x64.
04-04-2017 21:49:05.363 +0530 INFO  loader - Detected 1 (virtual) CPUs, 1 CPU cores, and 16383MB RAM
04-04-2017 21:49:05.363 +0530 INFO  loader - Maximum number of threads (approximate): 8191
04-04-2017 21:49:05.363 +0530 INFO  loader - Arguments are: "rest" "--noauth" "POST" "/services/apps/local/SplunkUniversalForwarder/enable"
04-04-2017 21:49:05.363 +0530 INFO  loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
04-04-2017 21:49:05.363 +0530 INFO  loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:05.363 +0530 INFO  loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:05.363 +0530 INFO  loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
04-04-2017 21:49:05.379 +0530 INFO  ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now.
04-04-2017 21:49:05.379 +0530 INFO  ServerConfig - Host name option is "".
04-04-2017 21:49:05.394 +0530 WARN  AuthenticationManagerSplunk - Seed file is not present. Defaulting to generic username/pass pair.
04-04-2017 21:49:05.410 +0530 WARN  UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts
04-04-2017 21:49:06.720 +0530 ERROR LimitsHandler - Configuration from app=SplunkUniversalForwarder does not support reload: limits.conf/[thruput]/maxKBps
04-04-2017 21:49:06.720 +0530 ERROR ApplicationUpdater - Error reloading SplunkUniversalForwarder: handler for limits (access_endpoints /server/status/limits/general): Bad Request
04-04-2017 21:49:06.720 +0530 ERROR ApplicationUpdater - Error reloading SplunkUniversalForwarder: handler for server (http_post /replication/configuration/whitelist-reload): Application does not exist: Not Found
04-04-2017 21:49:06.720 +0530 ERROR ApplicationUpdater - Error reloading SplunkUniversalForwarder: handler for web (http_post /server/control/restart_webui_polite): Application does not exist: Not Found
04-04-2017 21:49:06.720 +0530 WARN  LocalAppsAdminHandler - User 'splunk-system-user' triggered the 'enable' action on app 'SplunkUniversalForwarder', and the following objects required a restart: default-mode, limits, server, web
04-04-2017 21:49:07.095 +0530 INFO  loader - Splunkd starting (build 67571ef4b87d).
04-04-2017 21:49:07.095 +0530 INFO  loader - System info: Windows, TSMSRV2, 2, 6, x64.
04-04-2017 21:49:07.095 +0530 INFO  loader - Detected 1 (virtual) CPUs, 1 CPU cores, and 16383MB RAM
04-04-2017 21:49:07.095 +0530 INFO  loader - Maximum number of threads (approximate): 8191
04-04-2017 21:49:07.095 +0530 INFO  loader - Arguments are: "rest" "--noauth" "POST" "/servicesNS/nobody/SplunkUniversalForwarder/data/outputs/tcp/server" "name=192.168.6.74:9997"
04-04-2017 21:49:07.095 +0530 INFO  loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
04-04-2017 21:49:07.095 +0530 INFO  loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:07.095 +0530 INFO  loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:07.095 +0530 INFO  loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
04-04-2017 21:49:07.126 +0530 INFO  ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now.
04-04-2017 21:49:07.126 +0530 INFO  ServerConfig - Host name option is "".
04-04-2017 21:49:07.142 +0530 WARN  UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts
04-04-2017 21:49:07.563 +0530 INFO  loader - Splunkd starting (build 67571ef4b87d).
04-04-2017 21:49:07.563 +0530 INFO  loader - System info: Windows, TSMSRV2, 2, 6, x64.
04-04-2017 21:49:07.563 +0530 INFO  loader - Detected 1 (virtual) CPUs, 1 CPU cores, and 16383MB RAM
04-04-2017 21:49:07.563 +0530 INFO  loader - Maximum number of threads (approximate): 8191
04-04-2017 21:49:07.563 +0530 INFO  loader - Arguments are: "rest" "--noauth" "POST" "/servicesNS/nobody/SplunkUniversalForwarder/admin/deploymentclient/deployment-client" "targetUri=192.168.6.74:8089"
04-04-2017 21:49:07.563 +0530 INFO  loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
04-04-2017 21:49:07.563 +0530 INFO  loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:07.563 +0530 INFO  loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
04-04-2017 21:49:07.563 +0530 INFO  loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
04-04-2017 21:49:07.563 +0530 INFO  ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now.
04-04-2017 21:49:07.563 +0530 INFO  ServerConfig - Host name option is "".
04-04-2017 21:49:07.594 +0530 WARN  UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts
04-04-2017 21:49:07.610 +0530 WARN  DC:PhonehomeThread - Phonehome thread is now shutdown.

Path Finder

I'm having this exact issue on 2008 R2 as well as 2012 R2 with both 6.5.2 and 6.5.3 (see below) and it's holding up a good chunk of installations. Have you had any luck?

4-28-2017 10:14:38.923 -0400 WARN  DC:PhonehomeThread - Phonehome thread is now shutdown.
0 Karma

Splunk Employee
Splunk Employee

Here is some documentation that might be helpful from the Forwarder Manual:

Here are some simple step-by-step instructions from a universal forwarder configuration in Splunk Light that might give you an idea of a basic configuration:
http://docs.splunk.com/Documentation/SplunkLight/6.5.1612/GettingStarted/GettingdataintoSplunkLightu...

0 Karma

Explorer

Thank you for the response, I have tried installing 6.1.3 UF it's perfectly working fine on windows server 2012 R2 . the latest version of is not working on any of the windows server 2012 R2 not too sure why?

0 Karma

Splunk Employee
Splunk Employee

Which version did you try to install on 4-April?

Can you try 6.4.6? There was a fix implemented for an issue found when deploying servers via an SCCM-like solution.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!