Solved: splunkd windows service marked for deletion after ...

yazapage · ‎02-18-2011

I upgraded from Splunk 3.4.9 to 4.0.1 and then to 4.1.5 using localsystem as the account.

After I upgraded the second time the splunkd service was disabled.

I tried to reactivate after changing to a domain account (with the appropriate permissions). The service is "marked for deletion" and will not allow me to change user accounts or start.

Where do I go from here? Do I need to start my upgrades all over again?

Ledio_Ago · ‎02-18-2011

Yazapage,

it seems like the "splunkd" windows services is stuck in an un-deterministic state. Fist of all once Splunk is running as a Local System user, all of the files created at run time will be owned by that user. Switching to a Domain user account it will not do any good. I suggest you switch both services, including splunkweb back to Local System User again.

As far as the splunkd service, you may need to reboot the machine for Windows Service manager to release that service. Once the machines comes backup online again, the services manager will have deleted the service, and you'll need to create another one.

As far as splunkweb, just open service manager and tell splunkweb service to run as Local System user.

Since splunkd service is delete now, to created again open a terminal and go to Splunk home bin directory, eg:

cd c:\Program Files\Splunk\bin

From there run:

splunk enable boot-start

This command will try and create both services, splunkd and splunkweb allover again.

Start splunk:

splunk start

Let us know how it goes.

Thanks, Ledio

View solution in original post

Ledio_Ago · ‎02-18-2011

Yazapage,

it seems like the "splunkd" windows services is stuck in an un-deterministic state. Fist of all once Splunk is running as a Local System user, all of the files created at run time will be owned by that user. Switching to a Domain user account it will not do any good. I suggest you switch both services, including splunkweb back to Local System User again.

As far as the splunkd service, you may need to reboot the machine for Windows Service manager to release that service. Once the machines comes backup online again, the services manager will have deleted the service, and you'll need to create another one.

As far as splunkweb, just open service manager and tell splunkweb service to run as Local System user.

Since splunkd service is delete now, to created again open a terminal and go to Splunk home bin directory, eg:

cd c:\Program Files\Splunk\bin

From there run:

splunk enable boot-start

This command will try and create both services, splunkd and splunkweb allover again.

Start splunk:

splunk start

Let us know how it goes.

Thanks, Ledio

yazapage · ‎02-21-2011

The services recreated properly after rebooted & ran the "splunk enable boot-start" command.
Now I have some other issues

malmoore · ‎02-19-2011

Services marked for deletion won't be accessible until the server is restarted. After you bounce the box you should be able to create the service again.

splunkd windows service marked for deletion after upgrade

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms