Installation

Splunk Install wizard ends prematurely

eholz1
Contributor

I upgraded from splunk 6.2.5 to 7.0. It seemed to work, but I get KV store errors. no luck on resolving those errors.

I then tried to upgrade from 7.0 to 7.3 - and the wizard end prematurely. The O/S is a vm running W2K12.
The splunk user is a domain user and an admin., the files/folder all have permissions for the user as full-control.

Short of removing and re-installing - what can I be looking for? The log file just says: "FatalError1"

Thanks,
eholz1

0 Karma

woodcock
Esteemed Legend

There is a default log file in AppData/Local/Temp/splunk.log, and you can force more logging with $ msiexec /I <splunk-MSI> /l*v <log-file>. The problem is almost always that Splunk cannot write to the disk because of a permission problem.

0 Karma

eholz1
Contributor

Thanks, will check the file in the temp folder, I have been using the msiexec method to start it. I have new problem now!
Ouch - the splunkd service will not stay running!

Thanks for the input,

eholz1

0 Karma

woodcock
Esteemed Legend

So you got through the install wizard?

0 Karma

eholz1
Contributor

Hello woodcock,

Well, it seems the issue is permissions as you indicated. A domain user is set to run the splunkd service.
and from what I read the "splunkuser" should have access to D:\Program Files\Splunk....

Does this user also have to have permissions on D:...?

I am unable to set permissions on some files and folders under Splunk/... when I attempt to set the permissions some folders/files return "access denied"

I will do more research tomorrow

Thanks,
eholz1

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi eholz1,

The installer should be ensuring that all permissions are correct, so unless that is failing (which should be recorded in the %TEMP%/splunk.log file that @woodcock mentioned---search for icacls), there really shouldn't be a problem there. However, what is true for some directories\files is that although the user that splunkd executes as has access, you as a member of Administrators, or whatever, may not. That is somewhat unconventional for Windows, but it is not a bug per se.

Hope this clarifies some.

Cheers,

  • Jo.
0 Karma

eholz1
Contributor

Hello jhornsby,

Thanks for the reply, I will check icacls and see what it shows.
there is no splunk.log file in %TEMP%, I will assume that %TEMP% is that user/appdata/local/splunk, etc.

Thanks for the tip, I will check things out (again) and get back one way or the other.

eholz1

0 Karma

eholz1
Contributor

Found the problem. there were two bogus ca pem files in the /etc/auth folder,
I delete those, and the install completed. Thanks,

0 Karma

eholz1
Contributor

forgot to mention the processor is intel -

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...