Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunkd windows service marked for deletion after upgrade

yazapage
Explorer
‎02-18-2011 07:01 PM

I upgraded from Splunk 3.4.9 to 4.0.1 and then to 4.1.5 using localsystem as the account.

After I upgraded the second time the splunkd service was disabled.

I tried to reactivate after changing to a domain account (with the appropriate permissions). The service is "marked for deletion" and will not allow me to change user accounts or start.

Where do I go from here? Do I need to start my upgrades all over again?

Reply
1 Solution
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎02-18-2011 07:45 PM

Yazapage,

it seems like the "splunkd" windows services is stuck in an un-deterministic state. Fist of all once Splunk is running as a Local System user, all of the files created at run time will be owned by that user. Switching to a Domain user account it will not do any good. I suggest you switch both services, including splunkweb back to Local System User again.

As far as the splunkd service, you may need to reboot the machine for Windows Service manager to release that service. Once the machines comes backup online again, the services manager will have deleted the service, and you'll need to create another one.

As far as splunkweb, just open service manager and tell splunkweb service to run as Local System user.

Since splunkd service is delete now, to created again open a terminal and go to Splunk home bin directory, eg:

cd c:\Program Files\Splunk\bin

From there run:

splunk enable boot-start

This command will try and create both services, splunkd and splunkweb allover again.

Start splunk:

splunk start

Let us know how it goes.

Thanks, Ledio

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎02-18-2011 07:45 PM

Yazapage,

it seems like the "splunkd" windows services is stuck in an un-deterministic state. Fist of all once Splunk is running as a Local System user, all of the files created at run time will be owned by that user. Switching to a Domain user account it will not do any good. I suggest you switch both services, including splunkweb back to Local System User again.

As far as the splunkd service, you may need to reboot the machine for Windows Service manager to release that service. Once the machines comes backup online again, the services manager will have deleted the service, and you'll need to create another one.

As far as splunkweb, just open service manager and tell splunkweb service to run as Local System user.

Since splunkd service is delete now, to created again open a terminal and go to Splunk home bin directory, eg:

cd c:\Program Files\Splunk\bin

From there run:

splunk enable boot-start

This command will try and create both services, splunkd and splunkweb allover again.

Start splunk:

splunk start

Let us know how it goes.

Thanks, Ledio

Reply
Solved! Jump to solution

yazapage
Explorer
‎02-21-2011 08:55 PM

The services recreated properly after rebooted & ran the "splunk enable boot-start" command.
Now I have some other issues

0 Karma
Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎02-19-2011 01:00 AM

Services marked for deletion won't be accessible until the server is restarted. After you bounce the box you should be able to create the service again.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...