I've read through numerous of the Splunk questions/answers re: splunk installer unable to blah blah blah but haven't found the right answer that works for me. I am trying to install Splunk to a brand new VM. I'm trying to install it to the E: drive (another partition) instead of the usual C: drive as E: has 100 GB of storage. In addition, I am using the local user for the install. I'm logged in as Administrator and have ensured that E: drive has all the permissions I need. However, I continue to get the error: splunk installer unable to start splunk services... exitcode=2. I've tried running the installer as Admin and continue to get the same issues.
In addition, I notice that even though I get this unable to start splunk services error, I see Splunk in my startup menu and I see splunkd and splunkweb under services. But each of them says AUTOMATIC and if I try and start the services, it gives me an error. I even tried via command line... nothing.
I've tried many of the other recommendations: cleared out registry, checked permissions, tried using command line, etc. Nothing seems to work. Would love any further suggestions.
Open the splunkd service and check the Log On tab. Is the service running as the local system or a user?
If your are running as a user, then review this from the Installation Manual:
Important: If you choose to run Splunk as another user, that user must:
•Be a member of an Active Directory domain (you cannot install Splunk as a local machine account other than the Local System account)
•Have local administrator privileges on the machine which you are performing the installation, and
•Have specific user rights, and other additional permissions, depending on the kinds of data you want to collect from remote machines.
Don't forget to stick the domainname and username into the field.
Like = home\s-splunk
This worked for me, was not able to install under domain account until I added the domain before the username, hope this is helpful.
Great Advice! specifying the domain or using the UPN was able to successfully complete the install.
The only way I have been able to successfully install Splunk Enterprise on Windows and have the services start (splunk-6.1.3-220630-x64-release) is to NOT change the default installation location. I tried many variations (local user, AD user, fresh Windows Server 2008 R2, fully patched Windows Server 2008 R2, AD joined, non-AD joined, etc.) until I finally just used defaults (Next > Next > Next > Finish) and found success. I then created a new Windows Server 2008 R2 Standard instance, added it to the AD domain, added a splunk service user to the local administrators group, and then installed Splunk Enterprise successfully using defaults except for the AD user.
Open the splunkd service and check the Log On tab. Is the service running as the local system or a user?
If your are running as a user, then review this from the Installation Manual:
Important: If you choose to run Splunk as another user, that user must:
•Be a member of an Active Directory domain (you cannot install Splunk as a local machine account other than the Local System account)
•Have local administrator privileges on the machine which you are performing the installation, and
•Have specific user rights, and other additional permissions, depending on the kinds of data you want to collect from remote machines.
Marking as accepted answer based on input from another customer whose issue was resolved.