Solved: Splunk Enterprise 9.1.3: Universal Forwarder can't...

TheExpert · ‎01-23-2024

Hi all,

today I successfully updated Splunk Enterprise to 9.1.3 (from 9.1.2) on a Windows 10 22H2 Pro machine with the newest Windows updates (January 2024).

Then I wanted to update the Universal Forwarder on this machine, too. Actually, there's 9.1.2 running and everything is working fine. But updating to 9.1.3 doesn't work. Near to the end of the installation process, the installation is rolled back to 9.1.2. Before the rollback there are coming up some more windows for a very short time. And then there are more then one message windows saying, that the installation failed. You then have to click on OK in every message window to finish successfully the rollback.

I don't see why the update is failing. Does anyone have the same issue? And how did you solve this issue?

Thank you.

TheExpert · ‎01-24-2024

Thank you. I can confirm that an unistallation of Universal Forwarder 9.1.2 and an installation of Uinversal Forwarder 9.1.3 works without issues.

View solution in original post

swaro_ck · ‎01-25-2024

We have exactly the same problem here. Tested today on a Windows 2016/2019 - UFW Update from 9.1.1 to 9.1.3

But a new installation is out of the question for us, as you will lose all checkpoints and a reread of all is the result.

CheongKing · ‎01-24-2024

I am also encountering issue when I'm doing a upgrade from 9.1.2.

Coming to the end it will roll back and fail..

A fresh install works fine...

Kindly advise.

kb_ama · ‎01-25-2024

for us the upgrade worked when we added the parameter:
USE_LOCAL_SYSTEM=1
and the service was started as Local System

when we did an uninstall of 9.1.2 and new install of 9.1.3 without the parameter the service was installed with the user NT SERVICE\SplunkForwarder

ASierra · ‎02-26-2024

Mine was failing also until I added the parameter above and install went through fine.

swaro_ck · ‎01-26-2024

Great, thanks, that works.

TheExpert · ‎01-24-2024

Thank you. I can confirm that an unistallation of Universal Forwarder 9.1.2 and an installation of Uinversal Forwarder 9.1.3 works without issues.

TheExpert · ‎01-23-2024

In the Windows event log I can see that some drivers are successfully installed by the update. And then I see these events:

01/23/2024 11:17:26 PM LogName=Application EventCode=11708 EventType=4 ComputerName=WIN10SERVER User=NOT_TRANSLATED Sid=S-1-5-21-451409098-3557801342-1863680623-1001 SidType=0 SourceName=MsiInstaller Type=Informationen RecordNumber=212304 Keywords=Klassisch TaskCategory=None OpCode=Info Message=Product: UniversalForwarder -- Installation failed.

01/23/2024 11:17:26 PM LogName=Application EventCode=1033 EventType=4 ComputerName=WIN10SERVER User=NOT_TRANSLATED Sid=S-1-5-21-451409098-3557801342-1863680623-1001 SidType=0 SourceName=MsiInstaller Type=Informationen RecordNumber=212305 Keywords=Klassisch TaskCategory=None OpCode=Info Message=Das Produkt wurde durch Windows Installer installiert. Produktname: UniversalForwarder. Produktversion: 9.1.3.0. Produktsprache: 1033. Hersteller: Splunk, Inc.. Erfolg- bzw. Fehlerstatus der Installation: 1603.

wcolgate_splunk · ‎01-24-2024

Use msiexec /i .... /l*vx logfile.txt

and look for "value 3" in that file. Just above that will show more information about the installation failure.

Splunk Enterprise 9.1.3: Universal Forwarder can't be updated

installation

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024