Installation

Splunk Universal forwarder upgrade - issues - Universal Forwarder installation fails

chuckpnla
New Member

When we attempted to upgrade Splunk Universal Forwarder on our windows servers, they repeatedly failed.  Here is a windows script that solved the issue below.  The issue was cause by the registry keys that remained after uninstalling the previous version of splunk:

REM Set current directory
cd %~dp0
REM Uninstall any existing Splunk versions - if no versions are present, the script will continue
wmic product where "name like '%%universalforwarder%%'" call uninstall
REM Remove Splunk installation reg keys
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4 /f
reg delete HKEY_CLASSES_ROOT\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4 /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\771F943D524B4D44EB7F87D16BBECDE4 /f
reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\13631B46466632F4FA2E89CF8E9602DB" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\splunkd.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\splunk-winevtlog.exe" /f
reg delete "HKEY_CLASSES_ROOT\Installer\Products\771F943D524B4D44EB7F87D16BBECDE4" /f
reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100012\79ceb0e4-9f86-11ee-a216-000d3ac2f180" /f
reg delele "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100018\38c9b010-d5c3-11ee-a218-000d3ac2f180" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV100019\affe40ec-d660-11ee-a218-000d3ac2f180" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\SV10001F\c19eef51-4dd7-11ef-a21c-000d3ac2f180" /f
reg delete "HKLM:\SOFTWARE\Classes\Installer\Features\B0271F4D65C5D084FA81634DC56AD4AE" /f
reg delete "HKLM:\SOFTWARE\Classes\Installer\UpgradeCode\13631B46466632F4FA2E89CF8E9602DB" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\" /v "C:\Program Files\SplunkUniversalForwarder\" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\splunk-perfmon.exe" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-80-972488765-139171986-783781252-3188962990-3730692313" /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{775313CB-929D-442C-8B52-2ED391D816E2}" /f
REM Install Splunk - set to passive to allow installer to see progress or errors
msiexec.exe /i splunkforwarder-9.2.2-d76edf6f0a15-x64-release.msi SPLUNKUSERNAME="SplunkUser" SPLUNKPASSWORD="password" DEPLOYMENT_SERVER="USW-SPLUNKDPL-1:8089" AGREETOLICENSE=yes /passive
REM Start Splunk Service
net start SplunkForwarder
REM Install SPL file
"c:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" install app splunkclouduf.spl -auth SplunkAdmin:pasword
REM Stop and start Splunk service to enable SPL
net stop SplunkForwarder
net start SplunkForwarder
exit

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not necessary to uninstall a universal forwarder before upgrading it.  Just run the installer and it will perform the steps needed for the upgrade.

---
If this reply helps you, Karma would be appreciated.
0 Karma

chuckpnla
New Member

Intestesting because I didn't decide to uninstall first, I was told by support to do it.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Did it a Splunk's support or some other?

@richgalloway is correct, you shouldn't never uninstall previous version (unless there is some compatibility issue or something else) before update. Time by time you should go through several UF version and not install directly over many versions. There could be some stuff e.g. for fishbucket etc. which UF must do to convert those from old version to new one.

If/when you uninstall previous version it also means that you will reindex all events from that host as it haven't anymore information what it has previously indexed! With big nodes this could be even terabytes of duplicate events!

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...