Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: Upgrade Splunk Universal forwarder ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upgrade Splunk Universal forwarder ?
Hi Guys
Im a little confused, I need to upgrade what I believe is a Splunk universal forwarder, I think this as its located "C:\program files\SplunkUniversalForwarder" build version is below -
VERSION=4.3.2
BUILD=123586
PRODUCT=splunk
PLATFORM=Windows-AMD64
This is installed on a 2008 R2 64bit box, my issue is that when trying to upgrade with SplunkFprwarder-5.0.2-149561-x64-release
the upgrade seems to get about halfway though but then fails with this error -
Splunk Launcher - Splunk could not start splunks first time run - Error Code - 1
Im installing as a domain admin so its not related to privlidges, the other issue I see is that the only service that is running is called Splunk Forwarder, there are no other Splunk services installed from what I can see, I dont know if thatts an issue ?
any ideas guys ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I have sorted it -
I ended up deleting the service from services, this was named SplunkForwarder ( it was the only Splunk service listed), of course it didnt go smoothly and there was an error to state that the service didnt exist, I then tried to restart the said service only to get yet another error.
I then ran the upgrade again which then got 1 step further but failed again but with another error stating that Splunk couldnt create a service, I then rebooted and ran the installer again and low and behold it installed without issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pleased I could help 🙂
Please give the tick box a tick to mark as an answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was a good tip. I had the same trouble installing v5.0.3 over v5.0.2. I stopped the service, then used a domain admin account to do the install. I did not have to reboot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT --- exact error message is -
Splunk Installer was unable to launch Splunks first time run - Error Code 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another thing that I noticed is that when upgrading Im asked questions such as the deployment servers details and forwarders details IP's even what logs I would like to monitor, on other machines with the upgrade it just installs without being prompted for this info.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
