Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About jvcog
jvcog
New Member
Member since:
09-08-2022
09-09-2022
Community Statistics
| Posts | 3 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-08-2022 |
Activity Feed
- Posted Re: How do I fix this error: Universal Forwarder 9 Setup Ended Prematurely on Server 2019? on Installation. 09-09-2022 05:31 AM
- Posted Re: Universal Forwarder 9 Setup Ended Prematurely on Server 2019 on Installation. 09-09-2022 04:51 AM
- Posted How do I fix this error: Universal Forwarder 9 Setup Ended Prematurely on Server 2019? on Installation. 09-08-2022 10:20 AM
- Tagged How do I fix this error: Universal Forwarder 9 Setup Ended Prematurely on Server 2019? on Installation. 09-08-2022 10:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
09-09-2022
05:31 AM
Thanks for the follow up. I have checked and there are no indications of lingering installations. However, I imagine there must be something in the registry that is flagging the installer but I will not haphazardly remove any "splunk" mentions from my Domain Controller registry until Splunk indicates exactly which HKEY paths to check and are safe to delete. Do you have any suggestions of registry keys and or folders that need to be removed before proceeding with a new attempt to install? Should I just open a support ticket and have official support address this issue?
... View more
09-09-2022
04:51 AM
No this is a fresh install on a newly built domain controller, but the logs indicate it's running as an upgrade.
... View more
09-08-2022
10:20 AM
I've installed the forwarded on several other domain controllers in our environment but these last 2 keep failing, throwing the all too enigmatic "setup ended prematurely" error. "Like a F-18 bro!"
They are Windows Server 2019 9.0 forwarder 64-bit installer Regardless that the log states "SplunkForwarder already exists"; there is no current installation of the forwarder (but I have attempted it several times)
The logs don't seem to have any intel I find useful, but maybe you all have a better secret decoder ring?
msiexec.log:
splunk.log:
Other than a few of these types of details "input type=perfmon because it already exists" still unsure of the problem:
12:51:47 PM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/outputs/tcp/server "name=REDACTED:9997" >> "C:\Users\control\AppData\Local\Temp\splunk.log" 2>&1" HTTP/1.1 400 Bad Request Date: Thu, 08 Sep 2022 16:51:47 GMT Expires: Thu, 26 Oct 1978 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Content-Type: text/xml; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 170 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">REDACTED:9997 forwarded-server already present</msg> </messages> </response> 12:51:47 PM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/localhost lookup_host=localhost^&logs=Application^&logs=Security^&logs=System^&logs=ForwardedEvents^&logs=Setup >> "C:\Users\control\AppData\Local\Temp\splunk.log" 2>&1" HTTP/1.1 200 OK Date: Thu, 08 Sep 2022 16:51:49 GMT Expires: Thu, 26 Oct 1978 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Content-Type: text/xml; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 4477 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <?xml version="1.0" encoding="UTF-8"?> <!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .--> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>win-event-log-collections</title> <id>/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections</id> <updated>2022-09-08T12:51:49-04:00</updated> <generator build="6818ac46f2ec" version="9.0.0"/> <author> <name>Splunk</name> </author> <link href="/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/_new" rel="create"/> <link href="/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/_reload" rel="_reload"/> <link href="/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>localhost</title> <id>/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/localhost</id> <updated>1969-12-31T19:00:00-05:00</updated> <link href="/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/localhost" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/localhost" rel="list"/> <link href="/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/> <link href="/servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-event-log-collections/localhost" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">SplunkUniversalForwarder</s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> <s:item>splunk-system-role</s:item> <s:item>user</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="hosts">localhost</s:key> <s:key name="index">default</s:key> <s:key name="logs"> <s:list> <s:item>Application</s:item> <s:item>ForwardedEvents</s:item> <s:item>Security</s:item> <s:item>Setup</s:item> <s:item>System</s:item> </s:list> </s:key> <s:key name="lookup_host">localhost</s:key> <s:key name="name">localhost</s:key> </s:dict> </content> </entry> </feed> 12:51:49 PM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-perfmon "name=CPU%20Load&interval=10&object=Processor&counters=%25%20Processor%20Time%3B%25%20User%20Time&instances=_Total" >> "C:\Users\control\AppData\Local\Temp\splunk.log" 2>&1" HTTP/1.1 400 Bad Request Date: Thu, 08 Sep 2022 16:51:51 GMT Expires: Thu, 26 Oct 1978 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Content-Type: text/xml; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 199 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Cannot create object id=CPU Load of input type=perfmon because it already exists.</msg> </messages> </response> 12:51:51 PM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-perfmon "name=Available%20Memory&interval=10&object=Memory&counters=Available%20Bytes" >> "C:\Users\control\AppData\Local\Temp\splunk.log" 2>&1" HTTP/1.1 400 Bad Request Date: Thu, 08 Sep 2022 16:51:52 GMT Expires: Thu, 26 Oct 1978 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Content-Type: text/xml; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 207 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Cannot create object id=Available Memory of input type=perfmon because it already exists.</msg> </messages> </response> 12:51:52 PM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-perfmon "name=Free%20Disk%20Space&interval=3600&object=LogicalDisk&instances=_Total&counters=Free%20Megabytes%3B%25%20Free%20Space" >> "C:\Users\control\AppData\Local\Temp\splunk.log" 2>&1" HTTP/1.1 400 Bad Request Date: Thu, 08 Sep 2022 16:51:54 GMT Expires: Thu, 26 Oct 1978 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Content-Type: text/xml; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 206 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Cannot create object id=Free Disk Space of input type=perfmon because it already exists.</msg> </messages> </response> 12:51:54 PM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/inputs/win-perfmon "name=Network%20Interface&interval=10&object=Network%20Interface&counters=Bytes%20Received%2Fsec%3BBytes%20Sent%2Fsec&instances=*" >> "C:\Users\control\AppData\Local\Temp\splunk.log" 2>&1" HTTP/1.1 400 Bad Request Date: Thu, 08 Sep 2022 16:51:56 GMT Expires: Thu, 26 Oct 1978 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Content-Type: text/xml; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 208 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Cannot create object id=Network Interface of input type=perfmon because it already exists.</msg> </messages> </response> 12:51:56 PM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/admin/deploymentclient/deployment-client targetUri=REDACTED:8089 >> "C:\Users\control\AppData\Local\Temp\splunk.log" 2>&1" HTTP/1.1 200 OK Date: Thu, 08 Sep 2022 16:51:56 GMT Expires: Thu, 26 Oct 1978 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Content-Type: text/xml; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 1832 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <?xml version="1.0" encoding="UTF-8"?> <!--This is to override browser formatting; see server.conf[httpServer] to disable
... View more
- Tags:
- error
- prematurely
Labels
- Labels:
-
universal forwarder
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-09-2022
08:58 AM
|
