Installation

Splunk Install wizard ends prematurely

eholz1
Communicator

I upgraded from splunk 6.2.5 to 7.0. It seemed to work, but I get KV store errors. no luck on resolving those errors.

I then tried to upgrade from 7.0 to 7.3 - and the wizard end prematurely. The O/S is a vm running W2K12.
The splunk user is a domain user and an admin., the files/folder all have permissions for the user as full-control.

Short of removing and re-installing - what can I be looking for? The log file just says: "FatalError1"

Thanks,
eholz1

0 Karma

woodcock
Esteemed Legend

There is a default log file in AppData/Local/Temp/splunk.log, and you can force more logging with $ msiexec /I <splunk-MSI> /l*v <log-file>. The problem is almost always that Splunk cannot write to the disk because of a permission problem.

0 Karma

eholz1
Communicator

Thanks, will check the file in the temp folder, I have been using the msiexec method to start it. I have new problem now!
Ouch - the splunkd service will not stay running!

Thanks for the input,

eholz1

0 Karma

woodcock
Esteemed Legend

So you got through the install wizard?

0 Karma

eholz1
Communicator

Hello woodcock,

Well, it seems the issue is permissions as you indicated. A domain user is set to run the splunkd service.
and from what I read the "splunkuser" should have access to D:\Program Files\Splunk....

Does this user also have to have permissions on D:...?

I am unable to set permissions on some files and folders under Splunk/... when I attempt to set the permissions some folders/files return "access denied"

I will do more research tomorrow

Thanks,
eholz1

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi eholz1,

The installer should be ensuring that all permissions are correct, so unless that is failing (which should be recorded in the %TEMP%/splunk.log file that @woodcock mentioned---search for icacls), there really shouldn't be a problem there. However, what is true for some directories\files is that although the user that splunkd executes as has access, you as a member of Administrators, or whatever, may not. That is somewhat unconventional for Windows, but it is not a bug per se.

Hope this clarifies some.

Cheers,

  • Jo.
0 Karma

eholz1
Communicator

Hello jhornsby,

Thanks for the reply, I will check icacls and see what it shows.
there is no splunk.log file in %TEMP%, I will assume that %TEMP% is that user/appdata/local/splunk, etc.

Thanks for the tip, I will check things out (again) and get back one way or the other.

eholz1

0 Karma

eholz1
Communicator

Found the problem. there were two bogus ca pem files in the /etc/auth folder,
I delete those, and the install completed. Thanks,

0 Karma

eholz1
Communicator

forgot to mention the processor is intel -

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...