Python development with Splunk Enterprise
Check this manual often for updated information about the Splunk platform Python 3 migration. The content is subject to change.
The migration to Python 3 impacts Python scripts developed by Splunk app and add on developers and admins.
Changes to Python scripts
You must update your Python scripts used in apps and add-ons for compatibility with the Splunk Enterprise Python 3 release. The following features will require compatibility with Python 3.7:
Splunk Enterprise will provide a way to specify Python runtime version at an individual script level. More details will be provided in a future update to this manual.
Removal of deprecated Splunk platform features
Some deprecated features will be removed from the Splunk Enterprise Python 3 release:
- Advanced XML (deprecated in Splunk version 6.3). If possible, replace Advanced XML with Simple XML.
- Splunk Web Legacy Mode (deprecated in Splunk version 6.4): do not set
appServerPorts = 0in web.conf.
Making scripts cross-compatible with Python 2 and Python 3
Splunk recommends Cross-compatible Python code that works with both Python 2 and Python 3 interpreters. With the Splunk Enterprise Python 3 release and upcoming maintenance releases of Splunk Enterprise version 7.x, Spunk will provide cross-compatibility libraries to help make your scripts compatible with both Python 2 and Python 3.
For apps that might run against a Splunk Enterprise version 7.3.x or earlier indexer tier, use cross-compatible Python 2 syntax. This is because custom search commands and scripted lookups might be passed to the indexer tier as part of the knowledge bundle, and any Python 3-specific syntax will fail on the indexer.
You should also rename any files that conflict with Python standard modules or Splunk libraries, such as files named
test.py. Use different, non-reserved names to avoid namespace conflicts in Python 3.
You should properly store and import cross-compatible Python libraries and update the Python path according to guidelines provided in The directory structure of a Splunk App in Splunk developer docs.
Splunk SDK for Python
The Splunk SDK for Python API and service wrappers are cross-compatible with Python 2 and Python 3, starting with version 1.6.5. Upgrade to the latest version of the Splunk SDK for Python to help make scripts that use the Splunk SDK for Python compatible with the Splunk Enterprise Python 3 release.
Python interpreter switches
Splunk Enterprise version 8.0.0 includes python.version settings to control which version of the Python interpreter is used by Splunk Enterprise at the script-level. For the following scripts, the python.version setting resides in the corresponding conf file:
|Custom search commands|
|Custom alert actions|
|Custom REST endpoints|
Splunk Enterprise version 8.0.0 include a global setting,
python.version, to specify which Python interpreter to use across an instance. The global setting is covered in Upcoming Changes to Splunk Enterprise.
By default, the script-level setting of
python.version is not set, and the script will use the Python interpreter specified by the global setting in
python also uses the Python interpreter specified by the global setting in
server.conf. If set to
python3, the corresponding Python interpreter will be used. This overrides the global setting, except if the global setting is
force_python3, in which case Python 3 is always used.
Identifying Python scripts
Identify scripts impacted by the Splunk Enterprise Python 3 release with the latest version of the Splunk AppInspect tool, which now scans for features that require revision. Install the latest AppInspect to check your apps for Python migration-related changes.
Splunk will also release a Splunk Upgrade Readiness app for admins to scan deployed apps for any components impacted by migration to Python 3. More information about the Splunk Upgrade Readiness app will be provided in this manual in the future.
You can also manually identify possibly impacted Python scripts in your app or deployment by taking the following steps:
- Identify files ending in
- Identify files in
$SPLUNK_HOME/etc/apps/$<app_name>/bin/. These are typically custom scripts or inputs, which might not necessarily end in
*.py.but can still be implicitly executed by the Python interpreter used by Splunk Enterprise.
- Identify any other files explicitly executed by the Python interpreter. These files are often executed by the command
splunk cmd python $<script_name>.py. These files could contain shell scripts or could exist outside an app's or deployment's standard directories.
Unlike the Splunk Enterprise Python 3 release, Splunk Web will support only Python 3.7. Scripts that depend on Splunk Web (including custom CherryPy endpoints and Python in Mako templates) must be upgraded to use Python 3.7 syntax.
See Resources for more help about migrating Python 3 scripts.
Changes to Splunk Enterprise
Python Code Compatibility
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.1.0, 8.1.1