Splunk® Enterprise

Python 3 Migration

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Python development with Splunk Enterprise

Check this manual often for updated information about the Splunk platform Python 3 migration. The content is subject to change.

The migration to Python 3 impacts Python scripts developed by Splunk app and add on developers and admins.

Changes to Python scripts

You must update your Python scripts used in apps and add-ons for compatibility with the Splunk Enterprise Python 3 release. The following features will require compatibility with Python 3.7:

  • Custom web controllers (such as CherryPy endpoints)
  • Custom Mako templates

Splunk Enterprise will provide a way to specify Python runtime version at an individual script level. More details will be provided in a future update to this manual.

Removal of deprecated Splunk platform features

Some deprecated features will be removed from the Splunk Enterprise Python 3 release:

  • Advanced XML (deprecated in Splunk version 6.3). If possible, replace Advanced XML with Simple XML.
  • Splunk Web Legacy Mode (deprecated in Splunk version 6.4): do not set appServerPorts = 0 in web.conf.

Making scripts cross-compatible with Python 2 and Python 3

Splunk recommends Cross-compatible Python code that works with both Python 2 and Python 3 interpreters. With the Splunk Enterprise Python 3 release and upcoming maintenance releases of Splunk Enterprise version 7.x, Spunk will provide cross-compatibility libraries to help make your scripts compatible with both Python 2 and Python 3.

For apps that might run against a Splunk Enterprise version 7.3.x or earlier indexer tier, use cross-compatible Python 2 syntax. This is because custom search commands and scripted lookups might be passed to the indexer tier as part of the knowledge bundle, and any Python 3-specific syntax will fail on the indexer.

You should also rename any files that conflict with Python standard modules or Splunk libraries, such as files named test.py. Use different, non-reserved names to avoid namespace conflicts in Python 3.

You should properly store and import cross-compatible Python libraries and update the Python path according to guidelines provided in The directory structure of a Splunk App in Splunk developer docs.

Splunk SDK for Python

The Splunk SDK for Python API and service wrappers are cross-compatible with Python 2 and Python 3, starting with version 1.6.5. Upgrade to the latest version of the Splunk SDK for Python to help make scripts that use the Splunk SDK for Python compatible with the Splunk Enterprise Python 3 release.

Python interpreter switches

Splunk Enterprise version 8.0.0 includes python.version settings to control which version of the Python interpreter is used by Splunk Enterprise at the script-level. For the following scripts, the python.version setting resides in the corresponding conf file:

Script type File
Custom search commands commands.conf
Modular inputs inputs.conf
Scripted inputs inputs.conf
Custom alert actions alert_actions.conf
Scripted lookups transforms.conf
Custom REST endpoints restmap.conf
Scripted authentication authentication.conf

Splunk Enterprise version 8.0.0 include a global setting, python.version, to specify which Python interpreter to use across an instance. The global setting is covered in Upcoming Changes to Splunk Enterprise.

By default, the script-level setting of python.version is not set, and the script will use the Python interpreter specified by the global setting in server.conf. Setting python.version to default or python also uses the Python interpreter specified by the global setting in server.conf. If set to python2 or python3, the corresponding Python interpreter will be used. This overrides the global setting, except if the global setting is force_python3, in which case Python 3 is always used.

Identifying Python scripts

Identify scripts impacted by the Splunk Enterprise Python 3 release with the latest version of the Splunk AppInspect tool, which now scans for features that require revision. Install the latest AppInspect to check your apps for Python migration-related changes.

Splunk will also release a Splunk Upgrade Readiness app for admins to scan deployed apps for any components impacted by migration to Python 3. More information about the Splunk Upgrade Readiness app will be provided in this manual in the future.

You can also manually identify possibly impacted Python scripts in your app or deployment by taking the following steps:

  • Identify files ending in *.py.
  • Identify files in $SPLUNK_HOME/etc/apps/$<app_name>/bin/. These are typically custom scripts or inputs, which might not necessarily end in *.py. but can still be implicitly executed by the Python interpreter used by Splunk Enterprise.
  • Identify any other files explicitly executed by the Python interpreter. These files are often executed by the command splunk cmd python $<script_name>.py. These files could contain shell scripts or could exist outside an app's or deployment's standard directories.

Splunk Web

Unlike the Splunk Enterprise Python 3 release, Splunk Web will support only Python 3.7. Scripts that depend on Splunk Web (including custom CherryPy endpoints and Python in Mako templates) must be upgraded to use Python 3.7 syntax.

See Resources for more help about migrating Python 3 scripts.

Last modified on 12 January, 2021
Changes to Splunk Enterprise
Python Code Compatibility

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.1.0, 8.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters