Been browsing Splunk answers for a few days about this issue. Any help is appreaciated. Had a previous version installed 6.6.3 for which uninstallation was not successful. Meanwhile here's what I've tried: Running the msi with *msiexec /i splunk-7.0.0-c8a78efdd40f-x64-release.msi /lv C:\splunkInstall.log* on an elevated command prompt: Troubling part seems to be this one: MSI (c) (1C:A8) [23:37:52:064]: Invoking remote custom action. DLL: C:\Users\diasna1\AppData\Local\Temp\MSI3CA3.tmp, Entrypoint: SetAllUsersCA MSI (c) (1C:48) [23:37:52:065]: Cloaking enabled. MSI (c) (1C:48) [23:37:52:066]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (1C:48) [23:37:52:066]: Connected to service for CA interface. SetAllUsers: Debug: Num of subkeys found: 4. SetAllUsers: Info: Previously installed Splunk product is not found. SetAllUsers: Error: Failed SetAllUsers: 0x2. SetAllUsers: Info: Leave SetAllUsers: 0x80004005. Also tried installign 32 bit version and installing again 6.6.3. Dind't work and issue was the same. Any ideas on how bypass this one? Full Log file from msi below: === Verbose logging started: 23/11/2017 23:37:51 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\WINDOWS\system32\msiexec.exe === MSI (c) (1C:84) [23:37:51:220]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg MSI (c) (1C:84) [23:37:51:221]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg MSI (c) (1C:80) [23:37:51:238]: Resetting cached policy values MSI (c) (1C:80) [23:37:51:238]: Machine policy value 'Debug' is 0 MSI (c) (1C:80) [23:37:51:238]: ******* RunEngine: ******* Product: splunk-7.0.0-c8a78efdd40f-x64-release.msi ******* Action: ******* CommandLine: ********** MSI (c) (1C:80) [23:37:51:240]: Machine policy value 'DisableUserInstalls' is 0 MSI (c) (1C:80) [23:37:51:247]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi' against software restriction policy MSI (c) (1C:80) [23:37:51:249]: SOFTWARE RESTRICTION POLICY: C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi has a digital signature MSI (c) (1C:80) [23:37:51:951]: SOFTWARE RESTRICTION POLICY: C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi is permitted to run at the 'unrestricted' authorization level. MSI (c) (1C:80) [23:37:51:990]: Cloaking enabled. MSI (c) (1C:80) [23:37:51:990]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (1C:80) [23:37:51:993]: End dialog not enabled MSI (c) (1C:80) [23:37:51:993]: Original package ==> C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi MSI (c) (1C:80) [23:37:51:993]: Package we're running from ==> C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi MSI (c) (1C:80) [23:37:52:019]: APPCOMPAT: Compatibility mode property overrides found. MSI (c) (1C:80) [23:37:52:019]: APPCOMPAT: looking for appcompat database entry with ProductCode '{150176C2-74EC-4DBC-875D-52B98CF27DB1}'. MSI (c) (1C:80) [23:37:52:019]: APPCOMPAT: no matching ProductCode found in database. MSI (c) (1C:80) [23:37:52:023]: MSCOREE not loaded loading copy from system32 MSI (c) (1C:80) [23:37:52:027]: Machine policy value 'TransformsSecure' is 0 MSI (c) (1C:80) [23:37:52:027]: User policy value 'TransformsAtSource' is 0 MSI (c) (1C:80) [23:37:52:032]: Machine policy value 'DisablePatch' is 0 MSI (c) (1C:80) [23:37:52:032]: Machine policy value 'AllowLockdownPatch' is 0 MSI (c) (1C:80) [23:37:52:032]: Machine policy value 'DisableLUAPatching' is 0 MSI (c) (1C:80) [23:37:52:032]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (c) (1C:80) [23:37:52:033]: APPCOMPAT: looking for appcompat database entry with ProductCode '{150176C2-74EC-4DBC-875D-52B98CF27DB1}'. MSI (c) (1C:80) [23:37:52:033]: APPCOMPAT: no matching ProductCode found in database. MSI (c) (1C:80) [23:37:52:033]: Transforms are not secure. MSI (c) (1C:80) [23:37:52:033]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\splunkInstall.log'. MSI (c) (1C:80) [23:37:52:033]: Command Line: CURRENTDIRECTORY=C:\Users\diasna1\Downloads CLIENTUILEVEL=0 CLIENTPROCESSID=13596 MSI (c) (1C:80) [23:37:52:033]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{D7BA8A83-8C59-447C-8880-3CDBB5E9B644}'. MSI (c) (1C:80) [23:37:52:033]: Product Code passed to Engine.Initialize: '' MSI (c) (1C:80) [23:37:52:033]: Product Code from property table before transforms: '{150176C2-74EC-4DBC-875D-52B98CF27DB1}' MSI (c) (1C:80) [23:37:52:033]: Product Code from property table after transforms: '{150176C2-74EC-4DBC-875D-52B98CF27DB1}' MSI (c) (1C:80) [23:37:52:033]: Product not registered: beginning first-time install MSI (c) (1C:80) [23:37:52:033]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (c) (1C:80) [23:37:52:033]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (c) (1C:80) [23:37:52:033]: User policy value 'SearchOrder' is 'nmu' MSI (c) (1C:80) [23:37:52:033]: Adding new sources is allowed. MSI (c) (1C:80) [23:37:52:033]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (c) (1C:80) [23:37:52:033]: Package name extracted from package path: 'splunk-7.0.0-c8a78efdd40f-x64-release.msi' MSI (c) (1C:80) [23:37:52:034]: Package to be registered: 'splunk-7.0.0-c8a78efdd40f-x64-release.msi' MSI (c) (1C:80) [23:37:52:034]: Note: 1: 2205 2: 3: Error MSI (c) (1C:80) [23:37:52:034]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (c) (1C:80) [23:37:52:034]: Machine policy value 'DisableMsi' is 0 MSI (c) (1C:80) [23:37:52:034]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (c) (1C:80) [23:37:52:034]: User policy value 'AlwaysInstallElevated' is 0 MSI (c) (1C:80) [23:37:52:034]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (c) (1C:80) [23:37:52:034]: Running product '{150176C2-74EC-4DBC-875D-52B98CF27DB1}' with elevated privileges: Product is assigned. MSI (c) (1C:80) [23:37:52:034]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\diasna1\Downloads'. MSI (c) (1C:80) [23:37:52:034]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '0'. MSI (c) (1C:80) [23:37:52:034]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '13596'. MSI (c) (1C:80) [23:37:52:034]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'. MSI (c) (1C:80) [23:37:52:035]: TRANSFORMS property is now: MSI (c) (1C:80) [23:37:52:035]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'. MSI (c) (1C:80) [23:37:52:035]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming MSI (c) (1C:80) [23:37:52:035]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\Favorites MSI (c) (1C:80) [23:37:52:035]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (c) (1C:80) [23:37:52:036]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\Documents MSI (c) (1C:80) [23:37:52:036]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (c) (1C:80) [23:37:52:036]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Recent MSI (c) (1C:80) [23:37:52:036]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\SendTo MSI (c) (1C:80) [23:37:52:036]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Templates MSI (c) (1C:80) [23:37:52:036]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (c) (1C:80) [23:37:52:037]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Local MSI (c) (1C:80) [23:37:52:037]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\Pictures MSI (c) (1C:80) [23:37:52:037]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (c) (1C:80) [23:37:52:037]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (c) (1C:80) [23:37:52:037]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (c) (1C:80) [23:37:52:037]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (c) (1C:80) [23:37:52:037]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (c) (1C:80) [23:37:52:038]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (c) (1C:80) [23:37:52:038]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (c) (1C:80) [23:37:52:038]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (c) (1C:80) [23:37:52:038]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Start Menu MSI (c) (1C:80) [23:37:52:038]: SHELL32::SHGetFolderPath returned: C:\Users\diasna1\Desktop MSI (c) (1C:80) [23:37:52:038]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (c) (1C:80) [23:37:52:038]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts MSI (c) (1C:80) [23:37:52:040]: Note: 1: 2898 2: MS Sans Serif 3: Arial 4: 0 5: 32 MSI (c) (1C:80) [23:37:52:045]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation MSI (c) (1C:80) [23:37:52:045]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (c) (1C:80) [23:37:52:045]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (c) (1C:80) [23:37:52:045]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (c) (1C:80) [23:37:52:046]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (c) (1C:80) [23:37:52:046]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (c) (1C:80) [23:37:52:046]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi'. MSI (c) (1C:80) [23:37:52:046]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi'. MSI (c) (1C:80) [23:37:52:046]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (c) (1C:80) [23:37:52:046]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\Users\diasna1\Downloads\'. MSI (c) (1C:80) [23:37:52:046]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Users\diasna1\Downloads\'. MSI (c) (1C:84) [23:37:52:047]: PROPERTY CHANGE: Adding VersionHandler property. Its value is '5.00'. === Logging started: 23/11/2017 23:37:52 === MSI (c) (1C:80) [23:37:52:056]: Note: 1: 2205 2: 3: PatchPackage MSI (c) (1C:80) [23:37:52:056]: Machine policy value 'DisableRollback' is 0 MSI (c) (1C:80) [23:37:52:056]: User policy value 'DisableRollback' is 0 MSI (c) (1C:80) [23:37:52:056]: PROPERTY CHANGE: Adding UILevel property. Its value is '5'. MSI (c) (1C:80) [23:37:52:059]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (c) (1C:80) [23:37:52:059]: Note: 1: 2205 2: 3: LaunchCondition MSI (c) (1C:80) [23:37:52:059]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition` MSI (c) (1C:80) [23:37:52:059]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr. MSI (c) (1C:80) [23:37:52:060]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (c) (1C:80) [23:37:52:060]: Doing action: INSTALL MSI (c) (1C:80) [23:37:52:060]: Note: 1: 2205 2: 3: ActionText Action 23:37:52: INSTALL. Action start 23:37:52: INSTALL. MSI (c) (1C:80) [23:37:52:061]: UI Sequence table 'InstallUISequence' is present and populated. MSI (c) (1C:80) [23:37:52:061]: Running UISequence MSI (c) (1C:80) [23:37:52:061]: PROPERTY CHANGE: Adding EXECUTEACTION property. Its value is 'INSTALL'. MSI (c) (1C:80) [23:37:52:061]: Doing action: SetAllUsers MSI (c) (1C:80) [23:37:52:061]: Note: 1: 2205 2: 3: ActionText Action 23:37:52: SetAllUsers. Action start 23:37:52: SetAllUsers. MSI (c) (1C:A8) [23:37:52:064]: Invoking remote custom action. DLL: C:\Users\diasna1\AppData\Local\Temp\MSI3CA3.tmp, Entrypoint: SetAllUsersCA MSI (c) (1C:48) [23:37:52:065]: Cloaking enabled. MSI (c) (1C:48) [23:37:52:066]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (1C:48) [23:37:52:066]: Connected to service for CA interface. SetAllUsers: Debug: Num of subkeys found: 4. SetAllUsers: Info: Previously installed Splunk product is not found. SetAllUsers: Error: Failed SetAllUsers: 0x2. SetAllUsers: Info: Leave SetAllUsers: 0x80004005. CustomAction SetAllUsers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 23:37:52: SetAllUsers. Return value 3. MSI (c) (1C:80) [23:37:52:118]: Doing action: FatalError1 MSI (c) (1C:80) [23:37:52:118]: Note: 1: 2205 2: 3: ActionText Action 23:37:52: FatalError1. Action start 23:37:52: FatalError1. MSI (c) (1C:84) [23:37:52:121]: Note: 1: 2205 2: 3: Error MSI (c) (1C:84) [23:37:52:121]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 2898 Info 2898.For WixUI_Font_Normal textstyle, the system created a 'Tahoma' font, in 0 character set, of 25 pixels height. MSI (c) (1C:84) [23:37:52:122]: Note: 1: 2205 2: 3: Error MSI (c) (1C:84) [23:37:52:122]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 2898 Info 2898.For WixUI_Font_Bigger textstyle, the system created a 'Tahoma' font, in 0 character set, of 39 pixels height. Action 23:37:52: FatalError1. Dialog created MSI (c) (1C:A4) [23:37:52:144]: Note: 1: 2731 2: 0 Action ended 23:37:54: FatalError1. Return value 2. Action ended 23:37:54: INSTALL. Return value 3. MSI (c) (1C:80) [23:37:54:307]: Destroying RemoteAPI object. MSI (c) (1C:48) [23:37:54:307]: Custom Action Manager thread ending. Property(C): UpgradeCode = {9C8D0B7D-C4E6-41C5-94D8-1EA36B03ECE6} Property(C): UILaunchBrowserToSplunk = 1 Property(C): INSTALL_SHORTCUT = 1 Property(C): WixUIRMOption = UseRM Property(C): UIUseLocalSystem = 1 Property(C): WIXUI_INSTALLDIR = INSTALLDIR Property(C): ALLUSERS = 1 Property(C): ARPNOMODIFY = yes Property(C): ProgramFiles64Folder = C:\Program Files\ Property(C): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Property(C): SourceDir = C:\Users\diasna1\Downloads\ Property(C): Manufacturer = Splunk, Inc. Property(C): ProductCode = {150176C2-74EC-4DBC-875D-52B98CF27DB1} Property(C): ProductLanguage = 1033 Property(C): ProductName = Splunk Enterprise Property(C): ProductVersion = 7.0.0.0 Property(C): ARPPRODUCTICON = WixSplunkIcon Property(C): DefaultUIFont = WixUI_Font_Normal Property(C): WixUI_Mode = InstallDir Property(C): ErrorDialog = ErrorDlg Property(C): SplunkSvcName = Splunkd Property(C): SplunkWebSvcName = SplunkWeb Property(C): _UIMonPath = UIMonPath Property(C): UIRecvIdxValid = 0 Property(C): DoNotInstallDrivers = 0 Property(C): _UICertFile = UICertFile Property(C): _UIRootCertFile = UIRootCertFile Property(C): SplunkX86Msi = 0 Property(C): AGREETOLICENSE = No Property(C): LAUNCHSPLUNK = 1 Property(C): SET_ADMIN_USER = 1 Property(C): SUPPRESS_SURVEY = 0 Property(C): os_OK = 1 Property(C): upgrade_OK = 1 Property(C): MSIRESTARTMANAGERCONTROL = Disable Property(C): MSIDISABLERMRESTART = 1 Property(C): MSIRMSHUTDOWN = 2 Property(C): LEGACYDRV = 1 Property(C): splunkURL = http://localhost:8000 Property(C): surveyUrl = http://www.splunk.com/r/windows_uninstall_survey Property(C): AdminProperties = AGREETOLICENSE;CERTFILE;CERTPASSWORD;CLONEPREP;DEPLOYMENT_SERVER;DoNotInstallDrivers;ENABLEADMON;FAILCA;FORCEINSTALLDRIVERS;FORWARD_SERVER;KEEPSPLUNKHOME;LAUNCHSPLUNK;LEGACYDRV;LOGON_PASSWORD;LOGON_USERNAME;MONITOR_PATH;NEWERVERSIONDETECTED;os_OK;OtherSplunkProductsPresent;PERFMON;PREVPRODUCTCODE;REGISTRYCHECK_BASELINE_LM;REGISTRYCHECK_BASELINE_U;REGISTRYCHECK_LM;REGISTRYCHECK_U;ROOTCACERTFILE;SameProdCodeExists;SET_ADMIN_USER;SPLUNK_APP;SPLUNKD_PORT;SPLUNKPASSWORD;UIAdmon;UIApplicationLog;UICertFile;UICertPassword;UIConfirmCertPassword;UIConfirmDomainPassword;UIDeplSrv;UIDeplSrvPort;UIDomainAccount;UIDomainPassword;UIForwardedEventsLog;UIMonPath;UINoDeplSrvOrIndexer;UIPerfCpu;UIPerfDisk;UIPerfMemory;UIPerfNetstat;UIRecvIdx;UIRecvIdxPort;UIRootCertFile;UISecurityLog;UISetupLog;UISystemLog;upgrade_OK;WEB_PORT;WINEVENTLOG_APP_ENABLE;WINEVENTLOG_FWD_ENABLE;WINEVENTLOG_SEC_ENABLE;WINEVENTLOG_SET_ENABLE;WINEVENTLOG_SYS_ENABLE Property(C): SecureCustomProperties = ARPNOMODIFY;NEWERVERSIONDETECTED;PREVPRODUCTCODE;PREVPRODUCTCODE_LEGACY Property(C): MsiHiddenProperties = LOGON_PASSWORD;SetSplunkPassword;SetupServiceConfig;SPLUNKPASSWORD Property(C): MsiLogFileLocation = C:\splunkInstall.log Property(C): PackageCode = {D7BA8A83-8C59-447C-8880-3CDBB5E9B644} Property(C): ProductState = -1 Property(C): PackagecodeChanging = 1 Property(C): CURRENTDIRECTORY = C:\Users\diasna1\Downloads Property(C): CLIENTUILEVEL = 0 Property(C): CLIENTPROCESSID = 13596 Property(C): MsiSystemRebootPending = 1 Property(C): VersionDatabase = 200 Property(C): VersionMsi = 5.00 Property(C): VersionNT = 603 Property(C): VersionNT64 = 603 Property(C): WindowsBuild = 9600 Property(C): ServicePackLevel = 0 Property(C): ServicePackLevelMinor = 0 Property(C): MsiNTProductType = 1 Property(C): WindowsFolder = C:\WINDOWS\ Property(C): WindowsVolume = C:\ Property(C): System64Folder = C:\WINDOWS\system32\ Property(C): SystemFolder = C:\WINDOWS\SysWOW64\ Property(C): RemoteAdminTS = 1 Property(C): TempFolder = C:\Users\diasna1\AppData\Local\Temp\ Property(C): ProgramFilesFolder = C:\Program Files (x86)\ Property(C): CommonFilesFolder = C:\Program Files (x86)\Common Files\ Property(C): CommonFiles64Folder = C:\Program Files\Common Files\ Property(C): AppDataFolder = C:\Users\diasna1\AppData\Roaming\ Property(C): FavoritesFolder = C:\Users\diasna1\Favorites\ Property(C): NetHoodFolder = C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ Property(C): PersonalFolder = C:\Users\diasna1\Documents\ Property(C): PrintHoodFolder = C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ Property(C): RecentFolder = C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\Recent\ Property(C): SendToFolder = C:\Users\diasna1\AppData\Roaming\Microsoft\Windows\SendTo\ Property(C): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\ Property(C): CommonAppDataFolder = C:\ProgramData\ Property(C): LocalAppDataFolder = C:\Users\diasna1\AppData\Local\ Property(C): MyPicturesFolder = C:\Users\diasna1\Pictures\ Property(C): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ Property(C): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Property(C): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\ Property(C): DesktopFolder = C:\Users\Public\Desktop\ Property(C): FontsFolder = C:\WINDOWS\Fonts\ Property(C): GPTSupport = 1 Property(C): OLEAdvtSupport = 1 Property(C): ShellAdvtSupport = 1 Property(C): MsiAMD64 = 6 Property(C): Msix64 = 6 Property(C): Intel = 6 Property(C): PhysicalMemory = 16265 Property(C): VirtualMemory = 14614 Property(C): AdminUser = 1 Property(C): MsiTrueAdminUser = 1 Property(C): LogonUser = diasna1 Property(C): UserSID = S-1-5-21-3851065524-991257706-3401019453-1112 Property(C): UserLanguageID = 2070 Property(C): ComputerName = WDPC15 Property(C): SystemLanguageID = 2070 Property(C): ScreenX = 2560 Property(C): ScreenY = 1440 Property(C): CaptionHeight = 45 Property(C): BorderTop = 1 Property(C): BorderSide = 1 Property(C): TextHeight = 32 Property(C): TextInternalLeading = 5 Property(C): ColorBits = 32 Property(C): TTCSupport = 1 Property(C): Time = 23:37:54 Property(C): Date = 23/11/2017 Property(C): MsiNetAssemblySupport = 4.7.2046.0 Property(C): MsiWin32AssemblySupport = 6.3.15063.0 Property(C): RedirectedDllSupport = 2 Property(C): MsiRunningElevated = 1 Property(C): Privileged = 1 Property(C): DATABASE = C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi Property(C): OriginalDatabase = C:\Users\diasna1\Downloads\splunk-7.0.0-c8a78efdd40f-x64-release.msi Property(C): SOURCEDIR = C:\Users\diasna1\Downloads\ Property(C): VersionHandler = 5.00 Property(C): UILevel = 5 Property(C): ACTION = INSTALL Property(C): EXECUTEACTION = INSTALL === Logging stopped: 23/11/2017 23:37:54 === MSI (c) (1C:80) [23:37:54:325]: Note: 1: 1708 MSI (c) (1C:80) [23:37:54:325]: Note: 1: 2205 2: 3: Error MSI (c) (1C:80) [23:37:54:325]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (c) (1C:80) [23:37:54:325]: Note: 1: 2205 2: 3: Error MSI (c) (1C:80) [23:37:54:325]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (c) (1C:80) [23:37:54:325]: Product: Splunk Enterprise -- Installation failed. MSI (c) (1C:80) [23:37:54:327]: Windows Installer installed the product. Product Name: Splunk Enterprise. Product Version: 7.0.0.0. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 1603. MSI (c) (1C:80) [23:37:54:336]: Grabbed execution mutex. MSI (c) (1C:80) [23:37:54:336]: Cleaning up uninstalled install packages, if any exist MSI (c) (1C:80) [23:37:54:337]: MainEngineThread is returning 1603 === Verbose logging stopped: 23/11/2017 23:37:54 ===

I'm thinking to get data from MSSQL server by using DBconnect. Then I want get only new data by using "rising column". By the way, there is one point which concern me. When acquiring new data using "rising column", and using time columns, if data has the same time value with other data is added, can Splunk capture it? Example: Time Name 2017/11/24 10:00:00 John ← Already indexed 2017/11/24 10:15:00 Mark ← Already indexed 2017/11/24 10:15:00 Bob ← New! Also, if it is unenable, is there any good method? If someone knows about it, I would appreciate it if you could tell me.

Hi, I use the below search to filer the source which were not updated on current day(Today) index=index sourcetype="sourcetype" source="source*.csv" | table source, _time | dedup source | where _time < relative_time(now(),"-1d@d). This string was providing the results and not suddenly stops working. No changes were made what so ever. can some one help me with this Thanks

Hi All, I am trying to put one of our Cluster indexer peers into manual detention and i get a boolean error: CLI: \bin>splunk edit cluster-config -manual_detention on_ports_enabled Error: key=manual_detention with val=on_ports_enabled is not a valid boolean value I am running the above directly on the peer. I have not tried running from the CM. I just want to stop using it for replication as it falls far short in matching the rest of the cluster in terms of specs and continuously causes bucket errors with the rest of the cluster. I cant find any reference to this error or many people using the manual detention function. Any help would be very much appreciated Thanks

Which technology splunk use?

Question: In our Java application there are log files being generated. As we want to do analytics on log do the service delivery team is using Splunk for that. Is it possible for Splunk to listen / connect to port remotely to the folder where our Java application log files are there? We do not want to install forwarder. Any other best solution?

HI All. i want lenght of string with include space ,double quotes everything special charecters. |eval length=len("East1" or "East1") |eval lenght2=len("%")

I have accelerated data model for 7 days.There is a lot of data missing while running queries based on data model PFA

I have a program which is logging events after every 1 hour. Which means the job runs after every 1 hour. With every run it generates an `UniqueID` and it stays through out the same until the program gets terminated for that hour's run. The program logs `FileName` with it. To discriminate the start and stop of the program, it logs status as `Status=START` and `Status=END`. `Status` is the field-name. So for example below are the two sample runs. index=prg, _time=2:00, UniqueID=ID1, Status=START, Message="Program starts" index=prg, _time=2:01, UniqueID=ID1, FileName=F1, Status=DEBUG, Message="File logged" index=prg, _time=2:02, UniqueID=ID1, FileName=F2, Status=DEBUG, Message="File logged" index=prg, _time=2:03, UniqueID=ID1, FileName=F3, Status=DEBUG, Message="File logged" index=prg, _time=2:04, UniqueID=ID1, Status=END, Message="Program ends" index=prg, _time=3:00, UniqueID=ID2, Status=START, Message="Program starts" index=prg, _time=3:05, UniqueID=ID2, FileName=F11, Status=DEBUG, Message="File logged" index=prg, _time=3:07, UniqueID=ID2, FileName=F12, Status=DEBUG, Message="File logged" index=prg, _time=3:09, UniqueID=ID2, FileName=F13, Status=DEBUG, Message="File logged" index=prg, _time=3:11, UniqueID=ID2, FileName=F17, Status=DEBUG, Message="File logged" index=prg, _time=3:22, UniqueID=ID2, Status=END, Message="Program ends" So with above example we could see `ID1` took 4 minutes to end and logged 3 files, whereas `ID2` took 22 minutes and logged 4 files. I need this in a graph, where time would be in Y axis and number of files would be in X axis. We want to see the trend... like for how many files what the time graph looks like.

Hi Team , We have issue with tomcat add on logs , the fields are not parsing properly , if i use sourcetype=tomcatweb.access host=TOMCAT GET NOT xxx.xxx NOT xx.x*0 . In "interesting fields" i had encounteredfields which are not proper example . ga t p_p_id s_fid WT_FPC If i Run query sourcetype=tomcatweb.access host=TOMCAT , i have seen proper fields like index eventtype linecount . Kindly let me know how to fix this

I have the need to extract fields between single quotes ( `'192.168.0.1', '192.168.0.2'`) in a field that may contain several matches. How can I make this happen? they are tied to a hostname so my ultimate goal is to instead of having a table with hostname, ip says `hostname=a ip_addresses='192.168.0.1',192.168.0.2'` I have `hostname=a ip_addresses=192.168.0.1` `hostname=a ip_addresses=192.168.0.2` The rex i devised is `| rex field=ip_addresses "(\d+|\.)+(,'\s*\d+|\.\w)*"` Im currently stumped as i dont know how to extract and supply several rows for this. The first step is to extract the separate ip addresses, and the second is to display them in a table with the ip addresses on a new row each. Thanks in advance

Hi Splunk experts! I'm working with three Splunk apps: 1. Dashboard App (DA) 2. TA (TA) 3. TA for Adaptive Response (TA-AR) These apps receive events from a remote machine. The TA presents a setup page to the user which allows the user to specify an index from which all dashboards in the DA will pull their events. For all practical purposes, it's safe to assume that the user would edit this index config very rarely. The problem I'm trying to solve is to **populate all dashboards in DA according to user config in TA setup page.** So far, I've been accomplishing this by **defining a macro 'get_index' in DA** and then using this macro in each dashboard search inside DA. Inside TA, any time the user updates the index field, I **call the macros REST endpoint to update the macros.conf in DA.** As a result, all dashboards in DA start pulling events from the new index because the underlying 'get_index' macro has been updated. Recently, I heard that my app won't pass certification (I haven't formally submitted the app for certification yet) since one app is not allowed to modify contents of another app. I would like to know if this info is correct. If yes, what is the best approach to solving this use case? A few possible alternative strategies I can think of, are: 1. DA and TA have separate setup pages. DA setup page asks for index info. TA setup page asks for everything else. 2. Do away with macros and make all dashboards in DA independent of all indexes. Then, require the user to set the 'default searchable index' (for the DA app users) to be same as that entered on the TA setup page. Thanks.

Hi all, There are a number of reports that run on a daily basis to report the auditing of an application which sends its data to the windows event logs. For a reason (probably best not to ask) some servers report with renderXml=false, others with renderXml=true. Normally I've seen no issue with this, but when I run queries against the XML rendered eventlogs, they return very slowly by comparison. To explain in rough figures (from a single run of each). Each is the same 15 minute span. index=my_index sourcetype=xmlwineventlog:application; running in smart mode: 33,709 events in 72.065 seconds index=my_index sourcetype=xmlwineventlog:application; running in fast mode: 33,709 events in 3.728 seconds index=my_index sourcetype=wineventlog:application; running in smart mode: 3,637 events in 3.098 seconds index=my_index sourcetype=wineventlog:application; running in fast mode: 3,637 events in 2.691 seconds The Splunk_TA_windows app is on the search head and there is only one custom field extraction applied (for key:value extractions). Trying to run a query on the XML events with any kind of streaming search can result in the report timing out. Nothing that exciting is in the search.log either. What should I be looking for in order to investigate where the performance of this is going wrong? Thanks!

Hi, I placed a batch script in $SPLUNK_HOME/\etc\system\bin to get the tasklist details into the Splunk index for every minutes, but for some reason the data is not getting logged continuously. Please suggest a fix, so that i get the script output to index continuously at every 5 minutes

Hi, i am trying to get the data by clicking on previous date and next date buttons. if we click previous date one time, i want yesterday date data, if we click previous date second time then i want day before yesterday date data and if we click next date one time, i want tomorrow's date data, if we click next date second time then i want day after tomorrow's date data. this is my requirement. i am trying by using earliest and latest i am trying by using epochs still i am not getting I need help from you Thank you.

Hi Guys, There's any query in the splunk web that I'm able to see if the splunkd is not running in a forwarder? Tks.

Hello, VMWare deployment respecting **Splunk deployment matrix** will generate error messages in indexers splunkd.log The deployment of the Splunk add-ons for VMWare generate error messages in splunkd.log due to shared objects from the SA-Hydra and SA-VMNetAppUtils. The deployment matrix provided by Splunk requests only the deployment of the "Splunk_TA_vmware" on the indexers: [http://docs.splunk.com/Documentation/AddOns/released/VMW/Installationoverview][1] ![alt text][2] However, if both the SA-Hydra and SA-VMNetAppUtils are NOT deployed on the indexers where the Splunk_TA_vmware is deployed, the following message appears in splunkd: 11-13-2017 10:57:14.208 +0000 ERROR ModularInputs - Introspecting scheme=ta_vmware_collection_worker: script running failed (exited with code 1). 11-13-2017 10:57:14.208 +0000 ERROR ModularInputs - Unable to initialize modular input "ta_vmware_collection_worker" defined inside the app "Splunk_TA_vmware": Introspecting scheme=ta_vmware_collection_worker: script running failed (exited with code 1). Only the deployment of the SAs will fix this situation, OR renaming / deleting the " Splunk_TA_vmware/default/inputs.conf" and "Splunk_TA_vmware/README/ inputs.conf.spec" Since Splunk is not requesting the deployment of the Support Add-ons, either the deployment matrix must be fixed, either the packages themselves must be fixed such that deploying the Splunk_TA_vmware alone does create this error by default. **STEPS TO REPRODUCE:** - Follow the deployment guidance for VMWare addons with a distributed architecture including dedicated indexers instances - Check splunkd.log on Splunk startup [1]: http://docs.splunk.com/Documentation/AddOns/released/VMW/Installationoverview [2]: /storage/temp/219875-selection-924.png Many thanks,

Hi , I have a token $hosstype$ which will get values as 'web', 'rpt' etc. If All option is selected the value to be passed to $tokenhost$ should be "prod-$hosttype*". How do i assign value as concatenated string with another token ?$server$index=app sourcetype=app_gc_log host="prod-$hosttype$*"| dedup host |sort host | table host-30d@dnowAllhosthosthost= OR

Hi all, Do you know the procedure to change the SAML Assertion X509Certificate (= server.pem) for a certificate signed by a third-party? Regards.

Hi I have a splunk query(with javascript) which i would like to run multiple times using javascript loop. Please find below code `dupcount1=splunkjs.mvc.Components.get("search8"); dupcount1.data("results").on("data", function(results) { if (DupData == true) { var dupcount = results._data['rows'][0][0]; var i; var batchsize = 10 for (i = 0; i <= dupcount / batchsize; i++) { if (i == 0) { defaultTokenModel.set("head1", batchsize); search4.startSearch(); } else { defaultTokenModel.set("head2", batchsize * (i + 1)); defaultTokenModel.set("tail", batchsize * i); search9.startSearch(); } } return true; } });` based on value of ***i*** i am setting token and start search. when (***i***==0) the search runs fine and everything completes graciously. Issue i am facing is when (***i*** !=0) than only for last loop job is triggered. what i would like is that , if there are 9 loops, 9 searches should be triggered. i am not able to understand why only last search is starting in ***elase*** loop. Thanks in advance.