Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Upgrade of Splunk Universal Forwarder - "Specified account already exists"

jmcg-imperva
Engager
‎03-25-2021 04:26 AM

Hi,

I'm trying to update the Splunk UF on a machine, but when running the MSI installer I'm getting a "The specified account already exists" and then the MSI fails to install. 

I've googled some generic failures around this, but none have worked so far.

Has anyone experienced this or able to flag to how troubleshoot it?

Thanks.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jho-splunk
Splunk Employee
Splunk Employee
‎03-25-2021 08:23 AM

Hi again @jmcg-imperva!

Interesting.  Based on this article, I wonder if there's something wonky in the Registry: https://kc.mcafee.com/corporate/index?page=content&id=KB88018

May I ask what version you're upgrading from, and what version you're upgrading to?

Cheers,

 

 - Jo.

 

View solution in original post

Reply
Solved! Jump to solution

jho-splunk
Splunk Employee
Splunk Employee
‎03-25-2021 06:55 AM

Hi @jmcg-imperva ,

Try rerunning the installation with logging enabled:

msiexec /l*vx msiexec.log /i <splunk.msi>

Then search for "return value 3", and look at a few lines before it.

If it's not obvious from that, please feel free to post a snippet here.

Cheers,

 

 - Jo.

 

0 Karma
Reply
Solved! Jump to solution

jmcg-imperva
Engager
‎03-25-2021 07:35 AM

Thanks Jo!

Log extract as below:

MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\Windows\Installer\'.
MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Windows\Installer\'.
MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SourcedirProduct property. Its value is '{D23A0D86-94B2-4BFA-9703-4C403A602C33}'.
MSI (s) (F0:48) [16:31:03:074]: SOURCEDIR ==> C:\Windows\Installer\
MSI (s) (F0:48) [16:31:03:074]: SOURCEDIR product ==> {D23A0D86-94B2-4BFA-9703-4C403A602C33}
MSI (s) (F0:48) [16:31:03:074]: SECREPAIR: CryptAcquireContext succeeded
MSI (s) (F0:48) [16:31:03:074]: Using cached product context: machine assigned for product: 68D0A32D2B49AFB47930C404A306C233
MSI (s) (F0:48) [16:31:03:074]: Determining source type
MSI (s) (F0:48) [16:31:03:074]: Note: 1: 2203 2: C:\Windows\Installer\splunkFW.msi 3: -2147287038 
MSI (s) (F0:48) [16:31:03:074]: Note: 1: 1316 2: C:\Windows\Installer\splunkFW.msi 
MSI (s) (F0:48) [16:31:03:074]: SECREPAIR: Error determining package source type
MSI (s) (F0:48) [16:31:03:074]: SECUREREPAIR: SecureRepair Failed. Error code: 52473D75628
Error 1316. The specified account already exists.

MSI (s) (F0:48) [16:31:04:371]: Note: 1: 2205 2:  3: Error 
MSI (s) (F0:48) [16:31:04:371]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
MSI (s) (F0:48) [16:31:04:371]: Product: UniversalForwarder -- Error 1316. The specified account already exists.

Action ended 16:31:04: InstallFinalize. Return value 3.
0 Karma
Reply
Solved! Jump to solution
Solution

jho-splunk
Splunk Employee
Splunk Employee
‎03-25-2021 08:23 AM

Hi again @jmcg-imperva!

Interesting.  Based on this article, I wonder if there's something wonky in the Registry: https://kc.mcafee.com/corporate/index?page=content&id=KB88018

May I ask what version you're upgrading from, and what version you're upgrading to?

Cheers,

 

 - Jo.

 

Reply
Solved! Jump to solution

Tyler
Explorer
‎05-19-2022 10:46 AM

This was the issue for me as well, but unfortunately renaming isn't as straight forward. PackageName is a GUID, not a filename. Since I deploy through Intune, I assume this is why. The GUID is likely of the app package file.

In the end, I used Orca to change the PackageCode and ProductCode GUIDs. Then, I could install like normal,

 

msiexec.exe /i "C:\Path\To\splunkuf.msi"

 

Why? There's no easy way to change the service account credentials or the Pass4SymmKey. A reinstall is the easiest, and the most reliable. Using MSIs in this way is a bit "unorthodox".

0 Karma
Reply
Solved! Jump to solution

jmcg-imperva
Engager
‎03-25-2021 09:08 AM

Hey @jho-splunk ,

Thanks for the info.

I found the registry entry under that branch & removed it. It seemed that the UF agent was on the machine a while ago but wasn't there now. I deleted the branch & the install then completed.

Cheers,
Joni.

0 Karma
Reply
Solved! Jump to solution

jho-splunk
Splunk Employee
Splunk Employee
‎03-25-2021 09:16 AM

Hey @jmcg-imperva!

Awesome!  Thanks for letting us know!  &:)

Cheers,

 

 - Jo.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...