Security

Splunkweb starts, then ends and the service is stopped.

las
Contributor

Hello.

I'm using SPLUNK 4.2.4.
This morning the field extract app had an update, after applying the update the restart failed.
This is from the windows event log:

File "D:\Program Files\Splunk\Python-2.6\Lib\site-packages\win32\win32serviceutil.py", line 785, in SvcRun
    self.SvcDoRun() 
File "D:\Program Files\Splunk\bin\SplunkWebService.py", line 37, in SvcDoRun 
    subprocess.call(gMakeCertsCmd)
File "D:\Program Files\Splunk\Python-2.6\Lib\subprocess.py", line 470, in call
    return Popen(*popenargs, **kwargs).wait()
File "D:\Program Files\Splunk\Python-2.6\Lib\subprocess.py", line 621, in __init__ 
    errread, errwrite) 
File "D:\Program Files\Splunk\Python-2.6\Lib\subprocess.py", line 830, in _execute_child startupinfo) 
   <type 'exceptions.WindowsError'> 
   [Error 193] %1 is not a valid Win32 application 

We are using windows 2008 r2.
Please help

Tried to upgrade to 4.2.5 but still the problem exists

Tags (2)
1 Solution

FunPolice
Path Finder

Similar problem here - 2008r2 x64, Splunk 4.3, applied the January Microsoft patches and now get this when the SplunkWeb service tries to start:

The instance's SvcRun() method failed 
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\win32\win32serviceutil.py", line 785, in SvcRun
    self.SvcDoRun()
  File "C:\Program Files\Splunk\bin\SplunkWebService.py", line 37, in SvcDoRun
    subprocess.call(gMakeCertsCmd)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 493, in call
    return Popen(*popenargs, **kwargs).wait()
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 679, in __init__
    errread, errwrite)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 893, in _execute_child
    startupinfo) 
<type 'exceptions.WindowsError'>: [Error 193]   File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\win32\win32serviceutil.py", line 785, in SvcRun
    self.SvcDoRun()
  File "C:\Program Files\Splunk\bin\SplunkWebService.py", line 37, in SvcDoRun
    subprocess.call(gMakeCertsCmd)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 493, in call
    return Popen(*popenargs, **kwargs).wait()
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 679, in __init__
    errread, errwrite)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 893, in _execute_child
    startupinfo) is not a valid Win32 application

Tried removing the patches, but no good. I fixed it by:

  • Installing all Windows patches
  • Shutting down Splunk services
  • Backing up \var and \etc directories.
  • Uninstalling Splunk
  • Deleting any leftover directories
  • Reinstalling Splunk
  • Shut down Splunk services
  • Renaming \var and \etc directories
  • Copying the backed-up \var and \etc directories back into the Splunk directory
  • Restarting Splunk services.

All good now!

View solution in original post

mzorzi
Splunk Employee
Splunk Employee

This situation seems to happen when there was a previous Splunk instance running under C:\ and then an uncomplete uninstall was not performed ( not sure if because of the uninstall program or what ) and in the registry there are still reference of the old Splunk Instance.

In particular after performing an uninstall there was this suspicious entry still there:

HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonService

You can try:

1) Stop Splunk
2) Make a backup of buckets and configuration files

3) Uninstall Splunk

4) Search the registry with every entry with Splunk and/or Python on it and clean them

5) Perform a full installation

6) restore the configuration files & buckets
7) create an empty file called ftr under %SPLUNK_HOME%

8) Restart Splunk

Alternatively you can try to remove only the python key above and perform another upgrade on top of your %SPLUNK_HOME

FunPolice
Path Finder

No good for me - mine is a fresh install on a new box that was working for a few days.

0 Karma

FunPolice
Path Finder

Similar problem here - 2008r2 x64, Splunk 4.3, applied the January Microsoft patches and now get this when the SplunkWeb service tries to start:

The instance's SvcRun() method failed 
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\win32\win32serviceutil.py", line 785, in SvcRun
    self.SvcDoRun()
  File "C:\Program Files\Splunk\bin\SplunkWebService.py", line 37, in SvcDoRun
    subprocess.call(gMakeCertsCmd)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 493, in call
    return Popen(*popenargs, **kwargs).wait()
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 679, in __init__
    errread, errwrite)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 893, in _execute_child
    startupinfo) 
<type 'exceptions.WindowsError'>: [Error 193]   File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\win32\win32serviceutil.py", line 785, in SvcRun
    self.SvcDoRun()
  File "C:\Program Files\Splunk\bin\SplunkWebService.py", line 37, in SvcDoRun
    subprocess.call(gMakeCertsCmd)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 493, in call
    return Popen(*popenargs, **kwargs).wait()
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 679, in __init__
    errread, errwrite)
  File "C:\Program Files\Splunk\Python-2.7\Lib\subprocess.py", line 893, in _execute_child
    startupinfo) is not a valid Win32 application

Tried removing the patches, but no good. I fixed it by:

  • Installing all Windows patches
  • Shutting down Splunk services
  • Backing up \var and \etc directories.
  • Uninstalling Splunk
  • Deleting any leftover directories
  • Reinstalling Splunk
  • Shut down Splunk services
  • Renaming \var and \etc directories
  • Copying the backed-up \var and \etc directories back into the Splunk directory
  • Restarting Splunk services.

All good now!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...