Installation

Can you help me troubleshoot my Splunk Enterprise (7.2.1) install on Win10 (64-bit)?

irios86
Engager

Hello,

I'm new here and I'm trying to utilize the free training courses offered under the Splunk Veterans program. I'm at the point where I need to start the labs, but I can't get Splunk Enterprise to install on either my desktop or laptop. Both machines are running Windows 10 64-bit (1803) code. I am using an administrator level account and I have verbose logging from msiexec. On both of my machines, it keeps failing at the SetAllUsers portion:

Action start 16:59:57: SetAllUsers.
MSI (c) (28:B0) [16:59:57:971]: Invoking remote custom action. DLL: C:\Users\irios\AppData\Local\Temp\MSI9407.tmp, Entrypoint: SetAllUsersCA
MSI (c) (28:28) [16:59:57:972]: Cloaking enabled.
MSI (c) (28:28) [16:59:57:972]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (28:28) [16:59:57:972]: Connected to service for CA interface.
SetAllUsers:  Debug: Num of subkeys found: 1.
SetAllUsers:  Info: Previously installed Splunk product is not found.
SetAllUsers:  Error: Failed SetAllUsers: 0x2.
SetAllUsers:  Info: Leave SetAllUsers: 0x80004005.
CustomAction SetAllUsers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 16:59:57: SetAllUsers. Return value 3.

I have already tried sfc /scannow on both of my systems, and no issues were discovered.

I'm completely lost at this point and I really don't want to do a clean install on either of my systems. Does anyone have any idea what could be causing this issue?

Thanks in advance!

0 Karma
1 Solution

irios86
Engager

Well, I only spent 4 hrs digging around before caving-in and posting the question here. 30 minutes after posting I figured it out. I always keep the Administrator account disabled. I figured it was worth a shot enabling and it and logging in as Administrator. Low and behold, it installed without a hitch using the Administrator account.

I went through the install process and then I logged back in using my normal account. Since Splunk installs for all users, I was able to re-disable my Administrator account and still use Splunk on my normal account.

Hope this helps someone else! I don't understand why it didn't work before since my normal user account is part of the Administrators group. Either way, not bothered because now I can press on.

Thanks!

View solution in original post

0 Karma

irios86
Engager

Well, I only spent 4 hrs digging around before caving-in and posting the question here. 30 minutes after posting I figured it out. I always keep the Administrator account disabled. I figured it was worth a shot enabling and it and logging in as Administrator. Low and behold, it installed without a hitch using the Administrator account.

I went through the install process and then I logged back in using my normal account. Since Splunk installs for all users, I was able to re-disable my Administrator account and still use Splunk on my normal account.

Hope this helps someone else! I don't understand why it didn't work before since my normal user account is part of the Administrators group. Either way, not bothered because now I can press on.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...