We have Splunk cluster architecture with 1 cluster master, 2 indexers, and 1 search head.
We have successfully upgraded cluster master and search head from version 7.2.0 to 8.0.1.
While upgrading indexers it gets about 80% through the file transfer then begins to roll back the install and restores it to the original state i.e. 7.2.0.
Has anyone else faced a similar situation?
There is a default log file in AppData/Local/Temp/splunk.log, and you can force more logging with $ msiexec /I <splunk-MSI> /l*v <log-file>. The problem almost always ends up being that Splunk cannot write to the disk because of a permissions problem.
Here is a step-by-step solution that should always work:
Move installation file (.msi) to the `temp` folder here:
Open a command prompt (CMD) with administrative privileges and start installation with enhanced logging:
msiexec /i c:\temp\splunk-184.108.40.206-7651b7244cf2-x64-release.msi /l*vx msiexec.log
Change the default installation folder/path in setup wizard, choose a folder other than the default program folders (C:\Program Files, C:\Program Files (x86) etc.) because of possible corporate restrictions/policies (folder permissions). Start with `Temp` again:
The setup wizard should continue and install Splunk as expected with no errors. I am not suggesting that you run it permanently from there, but this is a good test for permissions problems.