Splunk® Enterprise

Python 3 Migration

Changes to Splunk Enterprise with Python 3

Check this manual often for updated information about the Splunk platform Python 3 migration. The content is subject to change.

The Python 3.9 interpreter is used by default in Splunk Enterprise version 9.3.x, but Python 3.7 is still available. In Splunk Enterprise version 9.0.x, 9.1.x, and 9.2.x, the Python 3.7 interpreter is used by default.

Python interpreter settings

Splunk Enterprise versions 8.x and higher include the python.version global setting to specify which Python interpreter to use across an instance. The global setting resides in the server.conf file, located in $SPLUNK_HOME/etc/system/local/. The [general] stanza controls the Python version. For more information how Splunk Enterprise uses configuration files, see About configuration files.

For Splunk Enterprise 9.3, the python.version setting defaults to force_python3 within the server.conf file at installation, which means that your deployment uses Python 3.9 by default. If your Splunk Enterprise deployment and all Splunk apps and add-ons are not fully migrated and ready to run Python 3.9 only, you can change this setting to avoid breaking your apps. Although Python 3.7 and Python 3.9 are largely compatible with each other, as a best practice, test and validate your apps for compatibility.

In Splunk Enterprise 9.3, if you set the python.version setting to force_python3, the default interpreter is Python 3.9. In Splunk Enterprise 9.2, however, if you set the python.version setting to force_python3, the default interpreter is Python 3.7.

The following table explains all of the options for the python.version setting:

Setting value Available in Splunk Enterprise versions Default interpreter Can apps override this setting?
python3 8.x and 9.x Python 3.7 Yes, apps can specify a different value.
python3.9 9.3.x Python 3.9 Yes, apps can specify a different value.
force_python3 9.2.x and lower Python 3.7 No, this setting overrides all app-specific settings.
force_python3 9.3.x and higher Python 3.9 No, this setting overrides all app-specific settings.

Splunk Enterprise also includes python.version settings to control which version of the Python interpreter is used by Splunk Enterprise at the script level. For the following scripts, the python.version setting resides in the corresponding .conf file:

Script type File
Custom search commands commands.conf
Modular inputs inputs.conf
Scripted inputs inputs.conf
Custom alert actions alert_actions.conf
Scripted lookups transforms.conf
Custom REST endpoints restmap.conf
Scripted authentication authentication.conf
coldToFrozenScript indexes.conf

By default, the script-level setting of python.version is not set, and the script uses the Python interpreter specified by the global setting in the server.conf file. Setting the python.version setting to default or python also uses the Python interpreter specified by the global setting in the server.conf file. If you set it to python2 or python3, the corresponding Python interpreter is used. This overrides the global setting, except if the global setting is force_python3, in which case Python 3 is always used.

Set the python.version setting to python3 or default to remove Python 3 migration-related start-up warnings for your impacted apps.

For apps that must be written in Python 3-only syntax, set python.version to python3 in the appropriate .conf files for individual scripts. Do not set the python.version setting in the server.conf file. For dual-compatibility with both Python 2 and 3, set the python.version setting to python3 in the following .conf files:

  • commands.conf
  • inputs.conf
  • restmap.conf (for custom endpoints)
  • transforms.conf (for scripted lookups)

You can report additional required settings of python.version specific to your app by running AppInspect. For more information, see Validate the quality of Splunk apps and add-ons for Splunk Cloud Platform or Splunk Enterprise using Splunk AppInspect.

Setting the python.version setting for the coldToFrozenScript type applies if you use the canonical path to the Python interpreter. However, for coldToFrozen, you see the following message:

    * scripts set executable on UNIX with a #! shebang line pointing to a valid interpreter.

If your script is specified with #! /usr/bin/env python, then the python.version setting is ignored for coldToFrozen. The warmToCold type always specifies the Python script in with #! /usr/bin/env python, so there is no applicable python.version setting for the warmToCold type.

Splunk Platform Upgrade Readiness app

Splunk provides the Splunk Platform Upgrade Readiness app for admins to scan deployed apps for any components impacted by migration to Python 3. The app is recommended to prepare for an upgrade to Splunk Enterprise version 8.x or 9.x. For more information, see the Splunk Platform Upgrade Readiness App.

Removing Python 2.7 from your Splunk Enterprise deployment

There is no option to use Python 2.7 in Splunk Enterprise version 9.x. The following changes to Splunk Enterprise version 8.x and higher cause breaking changes to existing Python scripts:

  • Python scripts in the deprecated module system. Any scripts with Python 2 syntax in [app]>appserver>modules>[module name] that aren't Python 3 compatible will cause UI errors.
  • Custom web controllers (such as CherryPy endpoints). Requires script-level compatibility with Python 3.7. Failure to make scripts compatible with Python 3.7 may cause issues starting Splunk Web.
  • Custom Mako templates. Requires script-level compatibility with Python 3.7. Failure to make scripts compatible with Python 3.7 may cause issues starting Splunk Web.
  • Advanced XML (deprecated in Splunk version 6.3): removed. If possible, replace Advanced XML with Simple XML. For more information about alternatives to Advanced XML available in Splunk Enterprise, see Building customizations for the Splunk platform.
  • Splunk Web Legacy Mode (deprecated in Splunk version 6.4): removed. Do not set appServerPorts = 0 in web.conf.

Splunk Web

To prevent issues starting Splunk Web, revise apps for Python 3 compatibility. If an app cannot be upgraded, it must be removed for Splunk Web to start.

Search and Reporting

If you have modified Splunk Search and Reporting with scripts or other customizations using Python 2, you must update these scripts to use Python 3 syntax.

Analytics for Hadoop and Hadoop Data Roll

Analytics for Hadoop and Hadoop Data roll do not support Python 3 in Splunk Enterprise version 8.x or higher. When using Hadoop with Splunk Enterprise:

  • Do not set python.version = python3 for the global python.version setting, which resides in the server.conf file.
  • Do not remove the Python 2.7 runtime. If your deployment requires the removal of Python 2.7 for security compliance reasons, contact Splunk Support.

Splunkbase apps and add-ons

Impacted Splunkbase apps and add ons must be resubmitted to Splunkbase after validation of compatibility with the Splunk Enterprise version 8.x or 9.x, including Python 3 testing with AppInspect. Apps that are marked compatible with Splunk Enterprise 7.x and below are Python 2.7-compatible only, while apps that are marked compatible with Splunk Enterprise 8.x or 9.x are Python 3.7-compatible only. Apps that are marked compatible with Splunk Enterprise 7.x and 8.x are compatible with both Python 2.7 and 3.7.

Last modified on 18 June, 2024
Python 3 migration with the Splunk platform   Python development with Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 9.1.6, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters