Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why are Splunk Forwarders "re-configuring" every 10 minutes according to event logs?

jmaple
Communicator
‎03-08-2016 10:38 AM

We noticed while investigating issues that the Splunk Forwarder is repeatedly "re-configuring" itself using the MSI package? Here is the event we keep seeing.

03/08/2016 01:26:15 PM
LogName=Application
SourceName=MsiInstaller
EventCode=1035
EventType=4
Type=Information
ComputerName=hostname
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=None
OpCode=Info
RecordNumber=61598476
Keywords=Classic
Message=Windows Installer reconfigured the product. Product Name: UniversalForwarder. Product Version: 6.3.1.0. Product Language: 1033. Manufacturer: Splunk, Inc.. Reconfiguration success or error status: 0.

This event happens 12 times every 10 minutes. Has anyone else seen this happening?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-08-2016 06:17 PM

It isn't necessarily related to Splunk directly though it probably is.

I just had the same issue with a SQL box "reconfiguring" SQL because it had been patched but not yet rebooted. It was a fight between the updated version and the unupdated version, and a reboot took care of it. I've seen it happen when the installer needs to swap out files but has a service or lock it can't stop or fix.

Here's a big long and only partially applicable look at some of the things to check if a reboot doesn't resolve this.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-08-2016 06:17 PM

It isn't necessarily related to Splunk directly though it probably is.

I just had the same issue with a SQL box "reconfiguring" SQL because it had been patched but not yet rebooted. It was a fight between the updated version and the unupdated version, and a reboot took care of it. I've seen it happen when the installer needs to swap out files but has a service or lock it can't stop or fix.

Here's a big long and only partially applicable look at some of the things to check if a reboot doesn't resolve this.

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-08-2016 11:18 AM

Are you running any scripted inputs, or any inputs at all that interact with wmi? In particular win32_product?

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎03-08-2016 11:25 AM

Currently we only use that which is included in the "Splunk_TA_windows" app and we don't have all inputs that are stock with the app enabled. I don't believe we have any inputs that interact with WMI that repeats at 10 minute intervals.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...