Deleting the Unsupported Splunk Windows Universal Forwarder

By: Aaron Dobrzeniecki | Splunk Consultant

 

Have you ever encountered an issue when you are trying to install a new version of Splunk over an older unsupported version of Splunk? Having an older unsupported version of Spunk Univeral Forwarder installed can cause issues with your data ingesting into your Splunk indexers. Please see the Splunk Compatibility Matrix here. In the situation below we encountered compatibility issues because we were in the middle of upgrading our Splunk environment to 8.x. The Splunk Universal Forwarder 6.5.2 is not compatible with 8.x indexers so the data from those forwarders would not ingest into Splunk. Without deleting the unsupported Splunk Windows Universal Forwarder you’ll have huge issues!

We ran into an issue with a Windows Universal Forwarder that was on version 6.5.2 of Splunk, and we were trying to upgrade the Universal Forwarder to 7.3.3. (Since Splunk 7.3.3 has reached the end of support as well, you would want to install the latest version of the Splunk Universal Forwarder). When we tried to install the new version over the current version we received an error that the installation package for the current version was missing. Since Splunk 6.5.2 has reached the end of support and was removed from the website, we were unable to get the older install from Splunk.com because that version does not exist anymore. We were not able to get the 6.5.2 installation package to uninstall the Universal Forwarder from our machine. NOTE: If you have Splunk VPN you can access the older versions of Splunk.

We have two options: Delete the unsupported Splunk Windows Universal Forwarder or grab the current version from behind the Splunk VPN. For this exercise, we are going to be ripping the Splunk agent from the Windows box because we do not have Splunk VPN access. Please follow the steps below:

1. Open the Command Prompt as an Administrator

2. Run: sc stop SplunkUniversalForwarder

3. Run: sc delete SplunkUniversalForwarder

This stops, then deletes, the Splunk Windows service. You may have to do this for a second Splunk service. Older Splunk Universal Forwarder software had two services, although when tested with 7.1.x, it installed only one service.

4. You can find the internal service name by right-clicking on it in the Services Control Panel, select “Properties”, and look for the “Service Name” at the top of the dialog box.

5. Run: rmdir /s /q “C:\Program Files\SplunkUniversalForwarder”

6. From the same Command Prompt, run:

regedit

This will open the Registry Editor.

7. Search for “Splunk”. You should find an item under “HKEY_CLASSES_ROOT\Installer\Products\<SOME GUID>”

8. In the details, you’ll see a key for “ProductName”, and the value will be “Universal Forwarder”.

By seeing this, you know you have got the right item.

9. Right-click on the GUID in the left-hand pane and select “Delete” to delete the entire entry from the registry.
Now, the Splunk installer should see your host as a new install.

From here you can install the latest version of the Splunk Universal Forwarder for Windows. The reason we were unable to remove the Splunk program was due to the registry not being able to find the installation file for Splunk. (The 6.5.2 installation did not exist on the box anymore and we did not have a backup copy of the installation) After deleting the unsupported Splunk Windows Universal Forwarder from the registry we were able to move forward and make our Forwarder compatible with the rest of the Splunk environment.

 

If you are looking for a Splunk Managed Service Provider, check out our Evaluation Checklist or fill out the form below to speak with one of our expert Splunk consultants.