Python development with Splunk Enterprise
Check this manual often for updated information about the Splunk platform Python 3 migration. The content is subject to change.
The migration to Python 3 impacts Python scripts developed by Splunk app and add on developers and admins. In addition to changes to Python scripts, there are additional settings for Splunk administrators and prerequisites for upgrading to Splunk Enterprise version 8.0. For more information, see Changes to Splunk Enterprise. For Splunk Enterprise version 8.0 upgrade instructions, see Choose your Splunk Enterprise upgrade path for the Python 3 migration.
Developers must update Python scripts used in apps and add-ons for compatibility with Splunk Enterprise version 8.0. For guidelines for updating Python scripts in general, see Python Code Compatibility.
The following Splunk Enterprise features will require script-level compatibility with Python 3.7:
These must be made dual-compatible with both Python 2 and 3 to prevent breakage for customers upon upgrade.
Splunk Enterprise provides settings to specify which Python interpreter to use at global and script levels, covered in Changes to Splunk Enterprise.
Removal of deprecated Splunk platform features
Some deprecated features have been removed from Splunk Enterprise version 8.0, which might require file revisions:
- Advanced XML (deprecated in Splunk version 6.3). If possible, replace Advanced XML with Simple XML. For more information about alternatives to Advanced XML available in Splunk Enterprise, see Building customizations for the Splunk platform.
- Splunk Web Legacy Mode (deprecated in Splunk version 6.4): do not set
appServerPorts = 0in web.conf.
Writing scripts compatible with Python 2 and Python 3
Developers must make all Python files and scripts compatible with Python 3 to be compatible with Splunk Enterprise version 8.0. When making apps and scripts compatible with Python 3, Splunk recommends writing dual-compatible Python code that works with both Python 2 and Python 3 interpreters. For more information about Python compatibility libraries, see Python Code Compatibility.
Apps that must be written in Python 3-only syntax should set
python3 in the appropriate .conf files for individual scripts. Developers should not set
server.conf, nor set
python.version in any .conf files for apps that are dual-compatible with Python 2 and 3. For more information about
python.version settings, see Changes to Splunk Enterprise.
Running against earlier indexer tiers
For apps that might run against a Splunk Enterprise version 7.3.x or earlier indexer tier, admins should ensure those apps use dual-compatible Python syntax. This is because custom search commands and scripted lookups will be passed to the indexer tier as part of the knowledge bundle, and any Python 3-specific syntax will fail on the indexer.
Module naming conflicts
You should also rename any files that conflict with Python standard modules or Splunk libraries, such as files named
test.py. Use different, non-reserved names to avoid namespace conflicts in Python 3.
Splunk SDK for Python
The Splunk SDK for Python API and service wrappers are dual-compatible with Python 2 and Python 3, starting with version 1.6.5. Upgrade to the latest version of the Splunk SDK for Python to help make scripts that use the Splunk SDK for Python compatible with the Splunk Enterprise version 8.0.
Identifying Python scripts
Splunk provides the Splunk Platform Upgrade Readiness app for admins to scan deployed apps for any components impacted by migration to Python 3. For more information, see the Splunk Platform Upgrade Readiness App.
You can also manually identify possibly impacted Python scripts in your app or deployment by taking the following steps:
- Identify files ending in
- Identify files in
$SPLUNK_HOME/etc/apps/$<app_name>/bin/. These are typically custom scripts or inputs, which might not necessarily end in
*.py.but can still be implicitly executed by the Python interpreter used by Splunk Enterprise.
- Identify any other files explicitly executed by the Python interpreter. These files are often executed by the command
splunk cmd python $<script_name>.py. These files could contain shell scripts or could exist outside an app's or deployment's standard directories.
Unlike the rest of Splunk Enterprise version 8.0, Splunk Web will support only Python 3.7. Scripts that depend on Splunk Web (including custom CherryPy endpoints and Python in Mako templates) must be upgraded to be compatible with both Python 2 and Python 3 to allow for simpler upgrades.
Changes to Splunk Enterprise
Python Code Compatibility
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2