Changes to Splunk Enterprise
Check this manual often for updated information about the Splunk platform Python 3 migration. The content is subject to change.
The Python 3.7 interpreter is used by default in Splunk Enterprise version 9.x. There is no option to use Python 2.7 in Splunk Enterprise version 9.x.
The following changes to Splunk Enterprise version 8.x and higher cause breaking changes to existing Python scripts:
- Python scripts in the deprecated module system. Any scripts with Python 2 syntax in
[app]>appserver>modules>[module name]that aren't Python 3 compatible will cause UI errors.
- Custom web controllers (such as CherryPy endpoints). Requires script-level compatibility with Python 3.7. Failure to make scripts compatible with Python 3.7 may cause issues starting Splunk Web.
- Custom Mako templates. Requires script-level compatibility with Python 3.7. Failure to make scripts compatible with Python 3.7 may cause issues starting Splunk Web.
- Advanced XML (deprecated in Splunk version 6.3): removed. If possible, replace Advanced XML with Simple XML. For more information about alternatives to Advanced XML available in Splunk Enterprise, see Building customizations for the Splunk platform.
- Splunk Web Legacy Mode (deprecated in Splunk version 6.4): removed. Do not set
appServerPorts = 0in web.conf.
To prevent issues starting Splunk Web, revise apps for Python 3 compatibility. If an app cannot be upgraded, it must be removed for Splunk Web to start.
Python interpreter settings
Splunk Enterprise versions 8.x and higher include a global setting,
python.version, to specify which Python interpreter to use across an instance. The global setting resides in the server.conf file, located in
$SPLUNK_HOME/etc/system/local/. The stanza that controls Python version is
[general]. For more information how Splunk Enterprise uses configuration files, see About configuration files.
For Splunk Enterprise version 8.1 and higher,
python.version defaults to
python3 within server.conf. For prior versions of Splunk Enterprise,
python.version defaults to
To force Splunk Enterprise to use only the Python 3 interpreter regardless of script-level setting, set
python.version = force_python3. Use this setting if your Splunk Enterprise deployment and all Splunk apps and add-ons are fully migrated and ready to run Python 3 only.
Splunk Enterprise also includes
python.version settings to control which version of the Python interpreter is used by Splunk Enterprise at the script-level. For the following scripts, the
python.version setting resides in the corresponding conf file:
|Custom search commands
|Custom alert actions
|Custom REST endpoints
By default, the script-level setting of
python.version is not set, and the script will use the Python interpreter specified by the global setting in server.conf. Setting
python also uses the Python interpreter specified by the global setting in server.conf. If set to
python3, the corresponding Python interpreter will be used. This overrides the global setting, except if the global setting is
forcepython3, in which case Python 3 is always used.
default to remove Python 3 migration-related start up warnings for your impacted apps.
Apps that must be written in Python 3-only syntax should set
python3 in the appropriate .conf files for individual scripts. Developers should not set
server.conf. For dual-compatibility with both Python 2 and 3, set
python3 in the following .conf files:
- restmap.conf (for custom endpoints)
- transforms.conf (for scripted lookups)
Additional required setting of
python.version specific to your app can be reported by running AppInspect. For more information, see the Splunk AppInspect tool.
coldToFrozenScript applies if the canonical path to the Python interpreter is used. However, note that for
* scripts set executable on UNIX with a #! shebang line pointing to a valid interpreter.
If your script is specified with
#! /usr/bin/env python, then
python.version will be ignored for
coldToFrozen. Also note that for
warmToCold, this is always how the Python script is specified, so there is no applicable
Search and Reporting
If you have modified Splunk Search and Reporting with scripts or other customizations using Python 2, you must update these scripts to use Python 3 syntax.
Analytics for Hadoop and Hadoop Data Roll
Analytics for Hadoop and Hadoop Data roll do not support Python 3 in Splunk Enterprise version 8.x or 9.x. When using Hadoop with Splunk Enterprise:
- Do not set
python.version = python3for the global
python.versionsetting, which resides in the server.conf file.
- Do not remove the Python 2.7 runtime. If your deployment requires the removal of Python 2.7 for security compliance reasons, contact Splunk Support.
Splunk Platform Upgrade Readiness app
Splunk provides the Splunk Platform Upgrade Readiness app for admins to scan deployed apps for any components impacted by migration to Python 3. The app is recommended to prepare for an upgrade to Splunk Enterprise version 8.x or 9.x. For more information, see the Splunk Platform Upgrade Readiness App.
Splunkbase apps and add-ons
Impacted Splunkbase apps and add ons must be resubmitted to Splunkbase after validation of compatibility with the Splunk Enterprise version 8.x or 9.x, including Python 3 testing with AppInspect. Apps that are marked compatible with Splunk Enterprise 7.x and below are Python 2.7-compatible only, while apps that are marked compatible with Splunk Enterprise 8.x or 9.x are Python 3.7-compatible only. Apps that are marked compatible with Splunk Enterprise 7.x and 8.x are compatible with both Python 2.7 and 3.7.
Python 3 migration with the Splunk platform
Python development with Splunk Enterprise
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0