Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to Uninstall or over write with new version of Splunk universal forwe

AkshayKrishna
Engager
3 weeks ago

Hi Team,

 

We are facing an issue with the Splunk Universal Forwarder (UF) on one of our Windows servers.

 

In Services.msc, the Splunk service is not running, and after disabling it we are no longer able to see “Splunk” in the list of services.

 

We manually deleted the C:\Program Files\SplunkUniversalForwarder folder, thinking it might help.

 

Now, when we try to uninstall/reinstall/update UF using msiexec, we receive the error:

 

 

> “This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.”

 

 

 

The installer also complains that “policies are stopping the installation or modification,” even though we are running with local Administrator/root privileges.

 

We also noticed leftover entries in the registry and suspect there may be orphaned MSI references blocking the installation.

 

 

Has anyone faced this before?

 

What’s the best way to fully clean up old Splunk UF services, registry entries, and MSI remnants so that we can do a fresh installation?

 

Are there recommended steps/tools from Splunk for handling corrupted or partially removed UF installations on Windows?

 

 

Any guidance would be appreciated.

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
3 weeks ago

@AkshayKrishna 

You can follow below doc for clean up and try with fresh installation.

#https://splunk.my.site.com/customer/s/article/Troubleshooting-Windows-Installer-MSI

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!



Reply

AkshayKrishna
Engager
3 weeks ago

 I cannot install Procmon.exe, not allowed in my org is there any other ways to do it without any addons.

 

@PrewinThomas

0 Karma
Reply

PrewinThomas
Motivator
3 weeks ago

@AkshayKrishna 

PROCMON is not mandatory, its only to gather more info. Basically with windows admin help, you can perform following to remove any rrphaned MSI references

Delete the splunk windows service (if still present)
Delete residual files & folders (anything related to Splunk)
Manually clean registry entries
Remove installer cache files if any

After removing all these references and reboot should fix orphaned msi reference issues.


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...