Handy commands for uninstalling SplunkUniversalForwarder from Windows

Path Finder

Just in case it's helpful for anyone, here are some simple commands you can run from Windows PowerShell to uninstall SplunkUniversalForwarder from Windows.  This is especially useful if you have a lot of Windows servers to uninstall from, as this solution could easily be scripted.  (Uninstalls on Linux are much easier to script.)

Per the official Splunk documentation you need to know the exact name of the installation program.  This solution doesn't require prior knowledge and could be extended for uninstalling any MSI-installed program.

& "C:\Program Files\SplunkUniversalForwarder\bin\splunk" stop
$productCode = get-wmiobject Win32_Product -Filter "name='UniversalForwarder'" | % { $_.IdentifyingNumber }
msiexec /x$productCode /qn

Again, these commands need to be run from PowerShell, not a regular command prompt.  The get-wmiobject command can take several minutes to run.  After coming up with this I found similar solutions on StackOverflow here, including one that uses the registry that supposedly performs better.  I didn't try any of these out.  All of these techniques can run into problems if there are multiple programs that have the same names, but that's unlikely in this case.

In case you're wondering why I didn't reference %SPLUNK_HOME% in the first command, it's because this environment variable is not set on our servers for some reason, presumably due to the way Splunk was originally installed.

Labels (2)
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!