Splunk Dev

Why rollback during Installation Windows 64 bit?

New Member

Hi Splunk,

I have trouble installing your software.
It goes into rollback stating an error detected but no mention of the error
I selected the Windows 64 bit version.

Please advice

Thanks and regardsalt text

Labels (1)
0 Karma


same problem six years later attempting to upgrade from version 9.0.0 to 9.1.1 on half of our servers it upgraded fine on the other half it chokes



Rollback: StopSplunkServiceDef
MSI (s) (B4:98) [22:00:59:416]: Executing op: ActionStart(Name=StopSplunkServiceDef,,)
Rollback: RestartSplunkService
MSI (s) (B4:98) [22:00:59:416]: Executing op: ActionStart(Name=RestartSplunkService,,)
MSI (s) (B4:98) [22:00:59:416]: Executing op: CustomActionRollback(Action=RestartSplunkService,ActionType=1281,Source=BinaryData,Target=StartSplunkServiceCA,CustomActionData=SystemFolder=C:\Windows\SysWOW64\;System64Folder=C:\Windows\system32\;SplunkHome=C:\Program Files\Splunk\;SplunkSvcName=Splunkd;LaunchSplunk=1;FailCA=)
MSI (s) (B4:BC) [22:00:59:478]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIDCBF.tmp, Entrypoint: StartSplunkServiceCA
StartSplunkService: Warning: Invalid property ignored: FailCA=.
StartSplunkService: Info: Properties: splunkHome: C:\Program Files\Splunk, svcName: Splunkd, launch splunk: 1.
StartSplunkService: Info: Enter.
StartSplunkService: Info: service Splunkd already exists
StartSplunkService: Info: Leave.
StartSplunkService: Info: Enter. Args: "C:\Program Files\Splunk\bin\splunk.exe", start --answer-yes --no-prompt --accept-license --auto-ports
StartSplunkService: Info: SystemPath is: C:\Windows\system32\
StartSplunkService: Info: Execute string: C:\Windows\system32\cmd.exe /c ""C:\Program Files\Splunk\bin\splunk.exe" start --answer-yes --no-prompt --accept-license --auto-ports >> "C:\Users\ADMINI~1\AppData\Local\Temp\splunk.log" 2>&1"
StartSplunkService: Info: WaitForSingleObject returned : 0x0
StartSplunkService: Info: Exit code for process : 0x1
StartSplunkService: Info: Leave.
StartSplunkService: Error: ExecCmd failed: 0x1.
StartSplunkService: Error 0x80004005: Cannot start splunkd service.
CustomAction RestartSplunkService returned actual error code 1603 but will be translated to success due to continue marking
Rollback: Updating component registration

0 Karma

New Member

I have the same problem in the latest version. Can anyone help?

0 Karma

New Member

I have the same issue, any new information about this when the user is already admin?,I'm having the same issue, any new information regarding this issue when you are an admin?

0 Karma

Esteemed Legend

Every time that this has happened it has been a permissions problem. Either you are not an admin or you cannot write into Program Files to add Splunk. You can get more debug output like this:


0 Karma

New Member

I am facing the same issue, i am the admin of my system, tried to install multiple times but it rollsback,
Can some one guide me "or you cannot write Program Files to add Splunk" means and how can it be resolved
It rolls back at very last of the installation process, almost after 90-95% of completion

Log file details
11-19-2017 01:51:41.318 +0530 INFO loader - Running utility: "validatedb"
11-19-2017 01:51:41.490 +0530 INFO loader - Getting configuration data from: D:\etc\myinstall\splunkd.xml
11-19-2017 01:51:41.492 +0530 INFO loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to D:\etc\modules
11-19-2017 01:51:41.493 +0530 INFO loader - loading modules from D:\etc\modules
11-19-2017 01:51:41.603 +0530 INFO loader - Writing out composite configuration file: D:\var\run\splunk\composite.xml
11-19-2017 01:51:41.743 +0530 INFO loader - Validated 8 indexes in 94.00 milliseconds
11-19-2017 01:51:43.009 +0530 INFO ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now.
11-19-2017 01:51:43.010 +0530 INFO ServerConfig - Host name option is "".
11-19-2017 01:51:55.444 +0530 INFO loader - Running utility: "check-transforms-keys"
11-19-2017 01:51:55.451 +0530 INFO loader - Getting configuration data from: D:\etc\myinstall\splunkd.xml
11-19-2017 01:51:55.453 +0530 INFO loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to D:\etc\modules
11-19-2017 01:51:55.454 +0530 INFO loader - loading modules from D:\etc\modules
11-19-2017 01:51:55.494 +0530 INFO loader - Writing out composite configuration file: D:\var\run\splunk\composite.xml

0 Karma

New Member


You should stop the splunk forwarder service.

then install the new agent by cmd line <msiexec.exe /i splunkuniversalforwarder.msi >

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...