Installation

Splunk Install Error on Windows

Drainy
Champion

When trying to install Splunk 4.3 on Windows 2003 I encountered the error;
"Splunk Installer was unable to create Splunk services. Please make sure the user running the installer has the correct privileges, including being able to create Windows Services. Exitcode='1'"

What has caused this and how can I fix it?

1 Solution

Drainy
Champion

There are a couple of things that can cause this;

Firstly you are not running the setup program with administrative privileges. If you are running a non "Administrator" admin account, ensure you right click and choose to Run as administrator.

The next option is that you may have a similar error to above but with exit code 4 and the service cannot start instead of failing to install, this is because you chose to run the Splunk services as something other than the local system account. If you enter the details for another account it is possible you have entered them in incorrectly or they do not have permissions set to run as a service.

Finally, it is possible you have either a failed previous install, an old install that wasn't cleanly removed or your install has just fallen over.
If it says it has failed to install, go to the start menu and choose run, type in services.msc
Look down the list for splunkd and Splunkweb. See them there? in that case it is possible you have an old install or a failed install. After you have made sure you have tried to run an uninstall for Splunk but they are still present you can run the following commands;

ONLY DO THIS IF THE OPTION TO UNINSTALL SPLUNK EITHER VIA THE ADD/REMOVE PROGRAMS WINDOW IS NOT PRESENT OR IF WHEN YOU RIGHT CLICK ON THE SPLUNK INSTALLER AND SELECT UNINSTALL IT SAYS THAT THE PROGRAM MUST BE INSTALLED FIRST - DO NOT DO THIS ON A WORKING INSTALL

From the start menu right click on Command prompt if it is in the recent list and choose to run as administrator, otherwise navigate to the windows\system32 directory and right click on cmd.exe to run as admin.
Inside the prompt type;

sc delete Splunkd
sc delete Splunkweb

This will forcibly remove the services and allow the installer to hopefully run successfully on the next run.
This has been tested on Win2k3 but may work on other versions.

View solution in original post

vince2010091
Path Finder

Be careful, sometimes the service is named: "Splunkweb Service" so use :

sc delete Splunkweb Service

0 Karma

i_chandan
New Member

I was able to install on Windows 7 at location - "C:\Program Files (x86)\ " folder.
Earlier I was trying to install 'splunk-6.1.2-213098-x64-release' under "C:\Program Files" and was getting error (Error 1310.Error writing to file : C:Program FilesSplunketcanonymizeranonymizer-time.ini").

0 Karma

chandankumar
New Member

Deleting services from cmd worked for me on Windows 7. However I see and new issue now - "Error 1310.Error writing to file : C:Program FilesSplunketcanonymizeranonymizer-time.ini".Verify that you have access to that directory

0 Karma

JosephATL
New Member

On my Windows 2003 server, the SplunkForwarder tried to install in C:\ root directory. This is not allowed by our security policy. I installed it in C:\Program Files\SplunkForwarder, and all is OK.

0 Karma

chandramoulidg
New Member

I am also facing the same issue, I removed Splunkd and Splunkweb from services and tried, no luck. I have admin priviliges too.

0 Karma

anujamk
Engager

Didn't work for me! On windows XP

0 Karma

templier
Communicator

And me. This problem on 2 PC

0 Karma

nick_richard
New Member

Excellent, worked on my XP machine.

Thanks

0 Karma

Drainy
Champion

There are a couple of things that can cause this;

Firstly you are not running the setup program with administrative privileges. If you are running a non "Administrator" admin account, ensure you right click and choose to Run as administrator.

The next option is that you may have a similar error to above but with exit code 4 and the service cannot start instead of failing to install, this is because you chose to run the Splunk services as something other than the local system account. If you enter the details for another account it is possible you have entered them in incorrectly or they do not have permissions set to run as a service.

Finally, it is possible you have either a failed previous install, an old install that wasn't cleanly removed or your install has just fallen over.
If it says it has failed to install, go to the start menu and choose run, type in services.msc
Look down the list for splunkd and Splunkweb. See them there? in that case it is possible you have an old install or a failed install. After you have made sure you have tried to run an uninstall for Splunk but they are still present you can run the following commands;

ONLY DO THIS IF THE OPTION TO UNINSTALL SPLUNK EITHER VIA THE ADD/REMOVE PROGRAMS WINDOW IS NOT PRESENT OR IF WHEN YOU RIGHT CLICK ON THE SPLUNK INSTALLER AND SELECT UNINSTALL IT SAYS THAT THE PROGRAM MUST BE INSTALLED FIRST - DO NOT DO THIS ON A WORKING INSTALL

From the start menu right click on Command prompt if it is in the recent list and choose to run as administrator, otherwise navigate to the windows\system32 directory and right click on cmd.exe to run as admin.
Inside the prompt type;

sc delete Splunkd
sc delete Splunkweb

This will forcibly remove the services and allow the installer to hopefully run successfully on the next run.
This has been tested on Win2k3 but may work on other versions.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...