Upgrading from Splunk 7.3.9 to Versions before 8.0.8 or 8.1.1 will fail.
During the install process the installer will error with the following messages relating to the files:
libxml2.dll
libeay32.dll
ssleay32.dll
After dismissing these messages, the installer rolls back and reverts to the previously installed version 7.3.9
This appears related to the dates on these files that the installer does not handle correctly and does not overwrite.
At the end of the failed install (before rollback) these 3 files are missing from the $SPLUNK_HOME/bin folder
I presume the installer removes (backs up) the original files and during the install process validates that the files to be installed are newer. In the case of these 3 files, the situation is not handled correctly and the installer fails to correctly remedy the situation.
Solution
Use the latest version of the Splunk release train.
Upgrading to the latest version of the destination version will mitigate this issue.
The Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.2.4/Installation/HowtoupgradeSplunk)
Suggests that to upgrade to the latest version, for 7.3.x starting points you need to migrate to a 8.0.x or 8.1.x version. In reality this is slightly more nuanced as there are specific version incompatibilities that need to be considered.
As a general rule, when performing updates, you should select the latest version of the release, even if this is an intermediate step to an eventual target version.
7.3.9 > 8.1.72 > 8.2.4 (latest versions at date of this post)
Solution
Use the latest version of the Splunk release train.
Upgrading to the latest version of the destination version will mitigate this issue.
The Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.2.4/Installation/HowtoupgradeSplunk)
Suggests that to upgrade to the latest version, for 7.3.x starting points you need to migrate to a 8.0.x or 8.1.x version. In reality this is slightly more nuanced as there are specific version incompatibilities that need to be considered.
As a general rule, when performing updates, you should select the latest version of the release, even if this is an intermediate step to an eventual target version.
7.3.9 > 8.1.72 > 8.2.4 (latest versions at date of this post)
Thanks to the Splunk Docs team for updating the table I referenced above. Hopefully this makes it clearer for anyone approaching this in the future!
Workaround
From 7.3.9 > 8.0.0
Stop the splunk service using the services snapin.
Snapshot the VM/Backup the system
From the $SPLUNK_HOME/bin folder delete the following files (take backups first)
Run the Splunk 8.0.0 installer (leaving the Splunk service stopped)
Validate that the install process completes and check and test the upgrade.