Installation

Can you help me troubleshoot my Splunk Enterprise (7.2.1) install on Win10 (64-bit)?

irios86
Engager

Hello,

I'm new here and I'm trying to utilize the free training courses offered under the Splunk Veterans program. I'm at the point where I need to start the labs, but I can't get Splunk Enterprise to install on either my desktop or laptop. Both machines are running Windows 10 64-bit (1803) code. I am using an administrator level account and I have verbose logging from msiexec. On both of my machines, it keeps failing at the SetAllUsers portion:

Action start 16:59:57: SetAllUsers.
MSI (c) (28:B0) [16:59:57:971]: Invoking remote custom action. DLL: C:\Users\irios\AppData\Local\Temp\MSI9407.tmp, Entrypoint: SetAllUsersCA
MSI (c) (28:28) [16:59:57:972]: Cloaking enabled.
MSI (c) (28:28) [16:59:57:972]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (28:28) [16:59:57:972]: Connected to service for CA interface.
SetAllUsers:  Debug: Num of subkeys found: 1.
SetAllUsers:  Info: Previously installed Splunk product is not found.
SetAllUsers:  Error: Failed SetAllUsers: 0x2.
SetAllUsers:  Info: Leave SetAllUsers: 0x80004005.
CustomAction SetAllUsers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 16:59:57: SetAllUsers. Return value 3.

I have already tried sfc /scannow on both of my systems, and no issues were discovered.

I'm completely lost at this point and I really don't want to do a clean install on either of my systems. Does anyone have any idea what could be causing this issue?

Thanks in advance!

0 Karma
1 Solution

irios86
Engager

Well, I only spent 4 hrs digging around before caving-in and posting the question here. 30 minutes after posting I figured it out. I always keep the Administrator account disabled. I figured it was worth a shot enabling and it and logging in as Administrator. Low and behold, it installed without a hitch using the Administrator account.

I went through the install process and then I logged back in using my normal account. Since Splunk installs for all users, I was able to re-disable my Administrator account and still use Splunk on my normal account.

Hope this helps someone else! I don't understand why it didn't work before since my normal user account is part of the Administrators group. Either way, not bothered because now I can press on.

Thanks!

View solution in original post

0 Karma

irios86
Engager

Well, I only spent 4 hrs digging around before caving-in and posting the question here. 30 minutes after posting I figured it out. I always keep the Administrator account disabled. I figured it was worth a shot enabling and it and logging in as Administrator. Low and behold, it installed without a hitch using the Administrator account.

I went through the install process and then I logged back in using my normal account. Since Splunk installs for all users, I was able to re-disable my Administrator account and still use Splunk on my normal account.

Hope this helps someone else! I don't understand why it didn't work before since my normal user account is part of the Administrators group. Either way, not bothered because now I can press on.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...