Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is uninstalling Universal Forwarder not working (Windows 11)?

dijon000
Observer
‎04-18-2023 11:27 PM

I am trying to experiment with splunk to gather windows logs from my computer. However, I do not see my client in "Forwarder Management" so I think I may have misconfigured the receiving indexer. I am trying to uninstall the Universal Forwarder so I can reinstall it. I am attempting to follow the Splunk documentation: Uninstall the universal forwarder - Splunk Documentation but am unsuccessful in uninstalling the forwarder.  

I have some screenshots to help understand my problem: 

the result when running command msiexec /x splunkuniversalforwarder-<...>-x86-release.msithe result when running command msiexec /x splunkuniversalforwarder-<...>-x86-release.msiI have the SplunkForwarder Service in my services menu. I believe this shows that the universal forwarder does exist on my device.I have the SplunkForwarder Service in my services menu. I believe this shows that the universal forwarder does exist on my device.

These screenshots are when I attempt to uninstall the universal forwarder. The second screenshot should show that the service does exist and is not running at the moment (Yes when it is running I don't see it in "Forwarder Managment" still.)

If anyone has any advice and/or direction on what I should do, it would be greatly appreciated.

 

Thank You. 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 12:11 AM

Hi @dijon000,

there can be many reasons because an Indexer doesn't receive logs from a Universal Forwarder, but the approach uninstall/install isn't a good idea because usually it doesn't solves the issue!

Anyway, do you still have the UF in the list on installed application on Windows?

if yes, you could try to install it again, if not you can delete the remaining files and install it again.

If the error is still present and you have a valid license, open a case to Splunk Support.

About the issue of not sending logs to Indexer, at first check if you're receiving logs with a simple search:

 

index=_internal host=your_universal_forwarder_host

 

if you have logs, the UF is correctly installed and configured,

Then you see the UF in Forwarders management only if you configured Deployment Server on UF.

if not there could be many reasons:

  • did you configured receiver on Indexer? [Settings > Forwarding and Receiving > Receiving]
  • did you configured outputs on UF?
  • is the indexer reachable from the UF or there are intermediate firewalls?

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Aboutforwardingandreceivingdata

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...