All Apps and Add-ons

After upgrading Windows forwarders from Splunk 6.1.1 to 6.3, why are we getting error "app=Splunk_TA-windows: action=Uninstall result=Fail"?

agarrison
Path Finder

We recently started trying to upgrade our Windows forwarder installations from 6.1.1 to 6.3, after the upgrade, the Forwarder management page states the forwarder has errors installing. The \Splunk\etc\deployment-apps\Splunk_TA_windows folder is there and looks fine. This only affects the forwarders that we uninstall the old client and install the new client.

This is already installed on the forwarders before the upgrade, the forwarder for Windows is not changing...
I am unsure as to why I am getting this error

Has anyone seen anything like this?

10-15-2015 12:56:35.424 -0400 WARN  ClientSessionsManager - ip=10.0.0.8 name=11111111-1111-1111-1111-FBBDE9BD3C6E Updating record for sc=Windows Clients app=Splunk_TA_windows: action=Uninstall result=Fail
1 Solution

agarrison
Path Finder

We found the problem on our own after over a week of poking through possible solutions and going back and forth with splunk support.

The problem was that the uninstall was not removing the registry keys for the old installation.
We scripted the removal of the registry keys and were able to upgrade everything without issue.

View solution in original post

0 Karma

agarrison
Path Finder

We found the problem on our own after over a week of poking through possible solutions and going back and forth with splunk support.

The problem was that the uninstall was not removing the registry keys for the old installation.
We scripted the removal of the registry keys and were able to upgrade everything without issue.

0 Karma

mikaelbje
Motivator

Hmm, did you click Customize Options when you installed the Forwarder to disable all the default inputs?

I just found out that all our new Forwarders that were installed manually through the setup wizard had been set up with the default Windows inputs thereby creating a Splunk_TA_windows folder. Deployment Server was not able to overwrite the folder for some reason, so deleting the folder from the Forwarder fixed the issue and DS was now able to push out the correct Splunk_TA_windows.

The difference in our case is that we were seeing this issue upon deployment app Install whereas you are seeing it on Uninstall.

This may be related to the following bug which is identifed as a Known Issue at least in 6.3.0 and 6.3.1:

2015-11-06 SPL-108220 Unable to deploy an app through Deployment Server Forwarder Management. Error: app= was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app= via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server.

(http://docs.splunk.com/Documentation/Splunk/6.3.1/ReleaseNotes/Knownissues)

0 Karma

mikaelbje
Motivator

Also seeing this. Our DS runs 6.1 while the Forwarders run 6.3. Is your setup similar?

0 Karma

sajbutler
Path Finder

DS runs 6.3, Forwarders run 6.2

0 Karma

sajbutler
Path Finder

Any resolution on this agarrison?

0 Karma

agarrison
Path Finder

Remove the product code from the registry, or use the windows fixit tool. Both worked but the fixit tool does not work on domain controllers.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...