Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is uninstalling Universal Forwarder not working (Windows 11)?

dijon000
Observer
‎04-18-2023 11:27 PM

I am trying to experiment with splunk to gather windows logs from my computer. However, I do not see my client in "Forwarder Management" so I think I may have misconfigured the receiving indexer. I am trying to uninstall the Universal Forwarder so I can reinstall it. I am attempting to follow the Splunk documentation: Uninstall the universal forwarder - Splunk Documentation but am unsuccessful in uninstalling the forwarder.  

I have some screenshots to help understand my problem: 

the result when running command msiexec /x splunkuniversalforwarder-<...>-x86-release.msithe result when running command msiexec /x splunkuniversalforwarder-<...>-x86-release.msiI have the SplunkForwarder Service in my services menu. I believe this shows that the universal forwarder does exist on my device.I have the SplunkForwarder Service in my services menu. I believe this shows that the universal forwarder does exist on my device.

These screenshots are when I attempt to uninstall the universal forwarder. The second screenshot should show that the service does exist and is not running at the moment (Yes when it is running I don't see it in "Forwarder Managment" still.)

If anyone has any advice and/or direction on what I should do, it would be greatly appreciated.

 

Thank You. 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 12:11 AM

Hi @dijon000,

there can be many reasons because an Indexer doesn't receive logs from a Universal Forwarder, but the approach uninstall/install isn't a good idea because usually it doesn't solves the issue!

Anyway, do you still have the UF in the list on installed application on Windows?

if yes, you could try to install it again, if not you can delete the remaining files and install it again.

If the error is still present and you have a valid license, open a case to Splunk Support.

About the issue of not sending logs to Indexer, at first check if you're receiving logs with a simple search:

 

index=_internal host=your_universal_forwarder_host

 

if you have logs, the UF is correctly installed and configured,

Then you see the UF in Forwarders management only if you configured Deployment Server on UF.

if not there could be many reasons:

  • did you configured receiver on Indexer? [Settings > Forwarding and Receiving > Receiving]
  • did you configured outputs on UF?
  • is the indexer reachable from the UF or there are intermediate firewalls?

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Aboutforwardingandreceivingdata

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...