Splunk Enterprise

Splunk Enterprise 9.1.3: Universal Forwarder can't be updated

TheExpert
Path Finder

Hi all,

today I successfully updated Splunk Enterprise to 9.1.3 (from 9.1.2) on a Windows 10 22H2 Pro machine with the newest Windows updates (January 2024). 

Then I wanted to update the Universal Forwarder on this machine, too. Actually, there's 9.1.2 running and everything is working fine. But updating to 9.1.3 doesn't work. Near to the end of the installation process, the installation is rolled back to 9.1.2. Before the rollback there are coming up some more windows for a very short time. And then there are more then one message windows saying, that the installation failed. You then have to click on OK in every message window to finish successfully the rollback.

I don't see why the update is failing. Does anyone have the same issue? And how did you solve this issue?

Thank you.

Labels (1)
0 Karma
1 Solution

TheExpert
Path Finder

Thank you. I can confirm that an unistallation of Universal Forwarder 9.1.2 and an installation of Uinversal Forwarder 9.1.3 works without issues.

View solution in original post

0 Karma

swaro_ck
Path Finder

We have exactly the same problem here. Tested today on a Windows 2016/2019 - UFW Update from 9.1.1 to 9.1.3

But a new installation is out of the question for us, as you will lose all checkpoints and a reread of all is the result.

0 Karma

CheongKing
New Member

I am also encountering issue when I'm doing a upgrade from 9.1.2.

Coming to the end it will roll back and fail..

A fresh install works fine...

 

Kindly advise.

 

0 Karma

kb_ama
Engager

for us the upgrade worked when we added the parameter:
USE_LOCAL_SYSTEM=1
and the service was started as Local System

when we did an uninstall of 9.1.2 and new install of 9.1.3 without the parameter the service was installed with the user NT SERVICE\SplunkForwarder

ASierra
Explorer

Mine was failing also until I added the parameter above and install went through fine.

0 Karma

swaro_ck
Path Finder

Great, thanks, that works.

0 Karma

TheExpert
Path Finder

Thank you. I can confirm that an unistallation of Universal Forwarder 9.1.2 and an installation of Uinversal Forwarder 9.1.3 works without issues.

0 Karma

TheExpert
Path Finder

In the Windows event log I can see that some drivers are successfully installed by the update. And then I see these events:

01/23/2024 11:17:26 PM LogName=Application EventCode=11708 EventType=4 ComputerName=WIN10SERVER User=NOT_TRANSLATED Sid=S-1-5-21-451409098-3557801342-1863680623-1001 SidType=0 SourceName=MsiInstaller Type=Informationen RecordNumber=212304 Keywords=Klassisch TaskCategory=None OpCode=Info Message=Product: UniversalForwarder -- Installation failed.

01/23/2024 11:17:26 PM LogName=Application EventCode=1033 EventType=4 ComputerName=WIN10SERVER User=NOT_TRANSLATED Sid=S-1-5-21-451409098-3557801342-1863680623-1001 SidType=0 SourceName=MsiInstaller Type=Informationen RecordNumber=212305 Keywords=Klassisch TaskCategory=None OpCode=Info Message=Das Produkt wurde durch Windows Installer installiert. Produktname: UniversalForwarder. Produktversion: 9.1.3.0. Produktsprache: 1033. Hersteller: Splunk, Inc.. Erfolg- bzw. Fehlerstatus der Installation: 1603.

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

Use msiexec /i .... /l*vx logfile.txt

and look for "value 3" in that file. Just above that will show more information about the installation failure.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...