All Apps and Add-ons

After upgrading Windows forwarders from Splunk 6.1.1 to 6.3, why are we getting error "app=Splunk_TA-windows: action=Uninstall result=Fail"?

agarrison
Path Finder

We recently started trying to upgrade our Windows forwarder installations from 6.1.1 to 6.3, after the upgrade, the Forwarder management page states the forwarder has errors installing. The \Splunk\etc\deployment-apps\Splunk_TA_windows folder is there and looks fine. This only affects the forwarders that we uninstall the old client and install the new client.

This is already installed on the forwarders before the upgrade, the forwarder for Windows is not changing...
I am unsure as to why I am getting this error

Has anyone seen anything like this?

10-15-2015 12:56:35.424 -0400 WARN  ClientSessionsManager - ip=10.0.0.8 name=11111111-1111-1111-1111-FBBDE9BD3C6E Updating record for sc=Windows Clients app=Splunk_TA_windows: action=Uninstall result=Fail
1 Solution

agarrison
Path Finder

We found the problem on our own after over a week of poking through possible solutions and going back and forth with splunk support.

The problem was that the uninstall was not removing the registry keys for the old installation.
We scripted the removal of the registry keys and were able to upgrade everything without issue.

View solution in original post

0 Karma

agarrison
Path Finder

We found the problem on our own after over a week of poking through possible solutions and going back and forth with splunk support.

The problem was that the uninstall was not removing the registry keys for the old installation.
We scripted the removal of the registry keys and were able to upgrade everything without issue.

0 Karma

mikaelbje
Motivator

Hmm, did you click Customize Options when you installed the Forwarder to disable all the default inputs?

I just found out that all our new Forwarders that were installed manually through the setup wizard had been set up with the default Windows inputs thereby creating a Splunk_TA_windows folder. Deployment Server was not able to overwrite the folder for some reason, so deleting the folder from the Forwarder fixed the issue and DS was now able to push out the correct Splunk_TA_windows.

The difference in our case is that we were seeing this issue upon deployment app Install whereas you are seeing it on Uninstall.

This may be related to the following bug which is identifed as a Known Issue at least in 6.3.0 and 6.3.1:

2015-11-06 SPL-108220 Unable to deploy an app through Deployment Server Forwarder Management. Error: app= was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app= via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server.

(http://docs.splunk.com/Documentation/Splunk/6.3.1/ReleaseNotes/Knownissues)

0 Karma

mikaelbje
Motivator

Also seeing this. Our DS runs 6.1 while the Forwarders run 6.3. Is your setup similar?

0 Karma

sajbutler
Path Finder

DS runs 6.3, Forwarders run 6.2

0 Karma

sajbutler
Path Finder

Any resolution on this agarrison?

0 Karma

agarrison
Path Finder

Remove the product code from the registry, or use the windows fixit tool. Both worked but the fixit tool does not work on domain controllers.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...