Getting Data In

splunkd windows service marked for deletion after upgrade

yazapage
Explorer

I upgraded from Splunk 3.4.9 to 4.0.1 and then to 4.1.5 using localsystem as the account.

After I upgraded the second time the splunkd service was disabled.

I tried to reactivate after changing to a domain account (with the appropriate permissions). The service is "marked for deletion" and will not allow me to change user accounts or start.

Where do I go from here? Do I need to start my upgrades all over again?

1 Solution

Ledio_Ago
Splunk Employee
Splunk Employee

Yazapage,

it seems like the "splunkd" windows services is stuck in an un-deterministic state. Fist of all once Splunk is running as a Local System user, all of the files created at run time will be owned by that user. Switching to a Domain user account it will not do any good. I suggest you switch both services, including splunkweb back to Local System User again.

As far as the splunkd service, you may need to reboot the machine for Windows Service manager to release that service. Once the machines comes backup online again, the services manager will have deleted the service, and you'll need to create another one.

As far as splunkweb, just open service manager and tell splunkweb service to run as Local System user.

Since splunkd service is delete now, to created again open a terminal and go to Splunk home bin directory, eg:

cd c:\Program Files\Splunk\bin

From there run:

splunk enable boot-start

This command will try and create both services, splunkd and splunkweb allover again.

Start splunk:

splunk start

Let us know how it goes.

Thanks, Ledio

View solution in original post

Ledio_Ago
Splunk Employee
Splunk Employee

Yazapage,

it seems like the "splunkd" windows services is stuck in an un-deterministic state. Fist of all once Splunk is running as a Local System user, all of the files created at run time will be owned by that user. Switching to a Domain user account it will not do any good. I suggest you switch both services, including splunkweb back to Local System User again.

As far as the splunkd service, you may need to reboot the machine for Windows Service manager to release that service. Once the machines comes backup online again, the services manager will have deleted the service, and you'll need to create another one.

As far as splunkweb, just open service manager and tell splunkweb service to run as Local System user.

Since splunkd service is delete now, to created again open a terminal and go to Splunk home bin directory, eg:

cd c:\Program Files\Splunk\bin

From there run:

splunk enable boot-start

This command will try and create both services, splunkd and splunkweb allover again.

Start splunk:

splunk start

Let us know how it goes.

Thanks, Ledio

yazapage
Explorer

The services recreated properly after rebooted & ran the "splunk enable boot-start" command.
Now I have some other issues

0 Karma

malmoore
Splunk Employee
Splunk Employee

Services marked for deletion won't be accessible until the server is restarted. After you bounce the box you should be able to create the service again.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...