Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is uninstalling Universal Forwarder not working (Windows 11)?

dijon000
Observer
‎04-18-2023 11:27 PM

I am trying to experiment with splunk to gather windows logs from my computer. However, I do not see my client in "Forwarder Management" so I think I may have misconfigured the receiving indexer. I am trying to uninstall the Universal Forwarder so I can reinstall it. I am attempting to follow the Splunk documentation: Uninstall the universal forwarder - Splunk Documentation but am unsuccessful in uninstalling the forwarder.  

I have some screenshots to help understand my problem: 

the result when running command msiexec /x splunkuniversalforwarder-<...>-x86-release.msithe result when running command msiexec /x splunkuniversalforwarder-<...>-x86-release.msiI have the SplunkForwarder Service in my services menu. I believe this shows that the universal forwarder does exist on my device.I have the SplunkForwarder Service in my services menu. I believe this shows that the universal forwarder does exist on my device.

These screenshots are when I attempt to uninstall the universal forwarder. The second screenshot should show that the service does exist and is not running at the moment (Yes when it is running I don't see it in "Forwarder Managment" still.)

If anyone has any advice and/or direction on what I should do, it would be greatly appreciated.

 

Thank You. 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 12:11 AM

Hi @dijon000,

there can be many reasons because an Indexer doesn't receive logs from a Universal Forwarder, but the approach uninstall/install isn't a good idea because usually it doesn't solves the issue!

Anyway, do you still have the UF in the list on installed application on Windows?

if yes, you could try to install it again, if not you can delete the remaining files and install it again.

If the error is still present and you have a valid license, open a case to Splunk Support.

About the issue of not sending logs to Indexer, at first check if you're receiving logs with a simple search:

 

index=_internal host=your_universal_forwarder_host

 

if you have logs, the UF is correctly installed and configured,

Then you see the UF in Forwarders management only if you configured Deployment Server on UF.

if not there could be many reasons:

  • did you configured receiver on Indexer? [Settings > Forwarding and Receiving > Receiving]
  • did you configured outputs on UF?
  • is the indexer reachable from the UF or there are intermediate firewalls?

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Aboutforwardingandreceivingdata

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...