Got it all figured out… In my situation the user tried to install a Forwarder OVER a full Splunk installation, not understanding the process. He had to back out of the install due to errors. The documentation clearly states Important: Do not install the universal forwarder over an existing installation of full Splunk. This resulted in the disappearance of splunkd in the services manager. Upon uninstalling the services as part of a reinstall, even though I was deleting the Splunk services manually they were not being released in memory so I could not overwrite them when I went to do a new install. Whenever I went to reinstall I got the error message: "Splunk Installer was unable to create Splunk Services. Please make sure that the user running the installer has the correct privileges, including being able to create Windows Services. Exitcode='1'". ANSWER: Make sure that the Splunk install folder does not have "read-only" anywhere within its properties. 2. Bounce Splunk after you do an installer uninstall on Windows or you manually delete the services. Windows will not always release the memory. It makes it appear as if its a permission issue which is common on Windows2008 r2 which only exacerbates issues.
... View more