Getting Data In

Splunk forward on Windows server 2008, Exitcode 4

mnarkiewicz
Explorer

I'm trying to install the splunk forwarder for Windows server 2008 R2 and I keep getting the same error. The error is:

Splunk installer was unable to start Splunk Services.
Please make sure you have provided the correct username and/or password, and the user you are trying to run Splunk as has the correct privileges. Exitcode="4"

Before I tried installing this in our production environment I installed it on a test system. I followed this guide http://docs.splunk.com/Documentation/Splunk/5.0.4/Installation/PrepareyourWindowsnetworkforaSplunkin... and everything worked just fine. I followed the same steps in production and all I get is this error. I have verified that all group, permmission and GPO settings are exactly the same in test and production (except the domain names)

Tags (3)
0 Karma

mnarkiewicz
Explorer

Sorry for the long delay before responding, but running the sc query commands did not show anything. Listing all the services in the service console doesn't show the splunk services either. I have set the log on and service permissions and the log on as a batch job permissions to allow the splunk user.

I have set the splunk user to be part of the builtin administrator's group and still, no luck.

0 Karma

rovechkin_splun
Splunk Employee
Splunk Employee

can you check that splunk was not installed previously on the machine by doing
sc query splunkd
sc query splunkweb?

if they exist you need to delete them first using "sc delete service_name"

if you are installing Splunk to run as a user make sure that it has
Permission to log on as a service
Permission to log on as a batch job

you can also temporary make your user a member of buitdin administrator group to make sure that this is not permission problem.

mnarkiewicz
Explorer

Sorry for taking so long to respond.

I ran the sc query commands and it showed nothing, and in the services list in the services console they are not present.

I have set the "log on as a service" and "log on as a batch job" permissions to allow the splunk user to connect. I have added the splunk user to the builtin administrator group and still no luck.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...