We have deployed Splunk_TA_stream to our Windows domain controllers. We made a change so the app is trying to redeploy. On about half the deployment clients, the install fails. After some lengthy troubleshooting I figured out to turn debug logging on, and got more details about the error.
Essentially the app can't re-install because there are files in use. How can we resolve this issue? I don't have access to the clients themselves, plus there are almost a hundred of them.
05-08-2019 09:55:15.556 -0400 WARN DeployedApplication - Unable to eliminate dir='C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream'. Splunk will continue trying to install application
05-08-2019 09:55:15.556 -0400 INFO DeployedApplication - Installing app=Splunk_TA_stream to='C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream'
05-08-2019 09:55:17.884 -0400 WARN DeployedApplication - Failed to create file C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\Packet.dll while untarring C:\Program Files\SplunkUniversalForwarder\var\run\Win_DomainControllers\Splunk_TA_stream-1557321794.bundle: The process cannot access the file because it is being used by another process.
Solution was:
1.) disable all streams in the configuration
2.) created a custom app with a scripted input:
net stop npf -- this should remove the lock on the files (or reboot)
3.) app deploys successfully
4.) mark custom app to uninstall (so the command stops running)
5.) re-enable the streams in the configuration
Solution was:
1.) disable all streams in the configuration
2.) created a custom app with a scripted input:
net stop npf -- this should remove the lock on the files (or reboot)
3.) app deploys successfully
4.) mark custom app to uninstall (so the command stops running)
5.) re-enable the streams in the configuration