Hi @isaacso,
Okay, I think I see the problem. Could you create a dummy string value named ProductName underneath the key HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\8B17357F59074B5F87FBCDE4D112027B and then retry the installer. It doesn't matter what the value is---it can be empty.
If it still fails, please repeat the same steps to diagnose.
Cheers,
- Jo.
... View more
Hi @isaacso,
Interesting. That logging is pointing to us having a problem with something beneath HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products in the Registry. Do you think you'd be able export both that and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Installer\Products and attach them here?
Cheers,
- Jo.
... View more
Hi @isaacso,
Please see the following for instructions on how to troubleshoot MSI installation failure: https://helgeklein.com/blog/2012/02/how-to-troubleshoot-failed-msi-installs/
Once you have them, please paste the lines preceding "return value 3" here so that we can further help you.
Cheers,
- Jo.
... View more
Hi @afx,
Since version 7.3.0 of Splunk, there's also the new run_introspection configuration value. If you set that to false , and disabled to true for a particular modular input, then that input will never run (the alternative of interval = -1 means that the modular input will run once upon startup).
Cheers,
- Jo.
... View more
Hi @adalbor ,
Can we run the installer to upgrade and switch to low priv mode without having to uninstall the UF first?
Unfortunately not. During an upgrade the installer does not present an opportunity to change the user. You will need to uninstall first.
Cheers,
- Jo.
... View more
Hi @hortonew,
Are you able to paste the output of the following:
splunk btool indexes list provider:<name-of-your-provider-in-indexes.conf>
I'd like to compare to a working setup I have locally.
Cheers,
- Jo.
... View more
Hi @miansalmantahir,
Probably the best way forward is to enable logging:
msiexec /l*vx msiexec.log /i
And see if that gives more information. If it does not, it might be worth trying Sysinternals' Process Monitor to see if that sheds some light.
Cheers,
- Jo.
... View more
Hi @hortonew,
Does search.log not shed further light? Try setting vix.splunk.search.debug to 1 and see if that sheds more light. Also, what is your Hadoop Version set to?
Cheers,
- Jo.
... View more
Hi @briansarmiento,
The property to set to specify an indexer for the UF is RECEIVING_INDEXER , not FORWARD_SERVER . Please see here: https://docs.splunk.com/Documentation/Forwarder/7.3.4/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline
Cheers,
- Jo.
... View more
Hi @indudhar,
I'm afraid we'll need logs to troubleshoot further. You can enable logging like so:
msiexec /l*vx msiexec.log /i <splunk.msi>
If you then search for return value 3 in that log, what happened immediately beforehand is the culprit.
Good luck!
Cheers,
- Jo.
... View more
Hi @rahulkumarfgf,
Unfortunately I don't have a VM around to test, but I'm guessing that Microsoft finally removed cacls.exe from Windows Server as of 2019. Therefore you'll need to use the icacls.exe command instead. E.g.:
icacls D:\new\path\for\index /t /c /grant "<the user Splunk Enterprise runs as>:(OI)(CI)(F)"
Cheers,
- Jo.
... View more
Hi @hortonew,
The specific issue is internally tracked as ERP-2150, which has the summary | metadata type=sourcetypes index=* fails when you have virtual indexes. Unfortunately I've realized that there's an issue that means it isn't currently in the release notes.
Cheers,
- Jo.
... View more
Hi @virggray,
For PowerShell, this should probably be:
$env:SPLUNK_HOME="C:\Program Files\Splunk"
However this doesn't really achieve much (it just sets the environmental variable SPLUNK_HOME ). It's unclear to me what exactly you're trying to do...are you able to clarify?
If you just want to be able to run the splunk CLI command from a PowerShell prompt, you need to do something like:
$env:PATH += ";" + "C:\Program Files\Splunk\bin"
Cheers,
- Jo.
... View more
Hi @sudhir7,
To troubleshoot this further, I'd recommend enabling MSI logging. Here's an example:
msiexec /l*vx msiexec.log /i splunk-8.0.1-6db836e2fb9e-x64-release.msi
Once the installation has completed, search the log for return value 3 , and whatever occurs just prior is the problem.
Cheers,
- Jo.
... View more
Hi @patrickyoko ,
I'm surprised you needed to do this, to be honest. I just tested and using interval = -1 seemed to work for me. What version of Splunk is this?
Also, FWIW, for PowerShell scripts you can use the native PowerShell modular input by means of powershell:// stanzas.
Hope this helps.
Cheers,
- Jo.
... View more
Hi @satyaallaparthi ,
What is the error that you are getting? Can you provide the exact PowerShell that you are using to invoke btool?
Cheers,
- Jo.
... View more
Hi @manderson_rr,
For maximum debugging, you can change $logDebug to $true in splunk-powershell.ps1 , which affects splunk-powershell.ps1.log . And you can also change ExecProcessor (in log.cfg ) and splunk-powershell (in log-cmdline.cfg ) to DEBUG , which affects splunkd.log . You will need to restart the UF for the changes to take effect. Maybe one of these logs will provide some clues as to what is going wrong.
Cheers,
- Jo.
... View more
Hi @manderson_rr,
Ah yes, unfortunately some of the example schedules are incorrect. How often would you like it to run? Here's a handy site: https://crontab.guru/
I can confirm that a number of customer are using the PowerShell modular input successfully. O&;)
Cheers,
- Jo.
... View more
Hi @marcohoffmann,
For the 6.4 series, it was fixed in 6.4.7; see here: https://docs.splunk.com/Documentation/Splunk/6.4.7/ReleaseNotes/6.4.7
For later versions, it's fixed in 6.5.3, and all versions from 6.6.0 onwards.
Good luck! &:)
Cheers,
- Jo.
... View more