When we attempted to upgrade Splunk Universal Forwarder on our windows servers, they repeatedly failed. Here is a windows script that solved the issue below. The issue was cause by the registry keys that remained after uninstalling the previous version of splunk:
REM Set current directory
cd %~dp0
REM Uninstall any existing Splunk versions - if no versions are present, the script will continue
wmic product where "name like '%%universalforwarder%%'" call uninstall
REM Remove Splunk installation reg keys
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4 /f
reg delete HKEY_CLASSES_ROOT\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4 /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\771F943D524B4D44EB7F87D16BBECDE4 /f
reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\splunkd.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\splunk-winevtlog.exe" /f
reg delete "HKEY_CLASSES_ROOT\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4" /f
reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100012\79ceb0e4-9f86-11ee-a216-000d3ac2f180" /f
reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100018\38c9b010-d5c3-11ee-a218-000d3ac2f180" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100019\affe40ec-d660-11ee-a218-000d3ac2f180" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV10001F\c19eef51-4dd7-11ef-a21c-000d3ac2f180" /f
reg delete "HKLM:\SOFTWARE\Classes\Installer\Features\B0271F4D65C5D084FA81634DC56AD4AE" /f
reg delete "HKLM:\SOFTWARE\Classes\Installer\UpgradeCode\13631B46466632F4FA2E89CF8E9602DB" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\" /v "C:\Program Files\SplunkUniversalForwarder\" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\splunk-perfmon.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-80-972488765-139171986-783781252-3188962990-3730692313" /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{775313CB-929D-442C-8B52-2ED391D816E2}" /f
REM Install Splunk - set to passive to allow installer to see progress or errors
msiexec.exe /i splunkforwarder-9.2.2-d76edf6f0a15-x64-release.msi SPLUNKUSERNAME="SplunkUser" SPLUNKPASSWORD="password" DEPLOYMENT_SERVER="USW-SPLUNKDPL-1:8089" AGREETOLICENSE=yes /passive
REM Start Splunk Service
net start SplunkForwarder
REM Install SPL file
"c:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" install app splunkclouduf.spl -auth SplunkAdmin:pasword
REM Stop and start Splunk service to enable SPL
net stop SplunkForwarder
net start SplunkForwarder
exit
It's not necessary to uninstall a universal forwarder before upgrading it. Just run the installer and it will perform the steps needed for the upgrade.
Intestesting because I didn't decide to uninstall first, I was told by support to do it.
Did it a Splunk's support or some other?
@richgalloway is correct, you shouldn't never uninstall previous version (unless there is some compatibility issue or something else) before update. Time by time you should go through several UF version and not install directly over many versions. There could be some stuff e.g. for fishbucket etc. which UF must do to convert those from old version to new one.
If/when you uninstall previous version it also means that you will reindex all events from that host as it haven't anymore information what it has previously indexed! With big nodes this could be even terabytes of duplicate events!
r. Ismo