Splunk Cloud Platform

Python 3 Migration

Changes to Splunk Enterprise

Check this manual often for updated information about the Splunk platform Python 3 migration. The content is subject to change.

The Python 3.7 interpreter is used by default in Splunk Enterprise version 9.x. There is no option to use Python 2.7 in Splunk Enterprise version 9.x.

The following changes to Splunk Enterprise version 8.x cause breaking changes to existing Python scripts:

  • Python scripts in the deprecated module system. Any scripts with Python 2 syntax in [app]>appserver>modules>[module name] that aren't Python 3 compatible will cause UI errors, and should be made dual compatible with both Python 2 and 3.
  • Custom web controllers (such as CherryPy endpoints). Requires script-level compatibility with Python 3.7. Failure to make scripts compatible with Python 3.7 may cause issues starting Splunk Web.
  • Custom Mako templates. Requires script-level compatibility with Python 3.7. Failure to make scripts compatible with Python 3.7 may cause issues starting Splunk Web.
  • Advanced XML (deprecated in Splunk version 6.3): removed. If possible, replace Advanced XML with Simple XML. For more information about alternatives to Advanced XML available in Splunk Enterprise, see Building customizations for the Splunk platform.
  • Splunk Web Legacy Mode (deprecated in Splunk version 6.4): removed. Do not set appServerPorts = 0 in web.conf.

To prevent issues starting Splunk Web, revise apps for Python 3 compatibility. If an app cannot be upgraded, it must be removed for Splunk Web to start.

In addition to breaking changes and upgrade steps, a number of features and components are impacted with Splunk Enterprise version 8.x, but deployments can be migrated to Python 3.7 over time. Splunk Enterprise version 8.x includes both Python 2.7 and Python 3.7 interpreters, with Python 2.7 enabled for all custom Python scripts outside of those shipped with Splunk Enterprise.

The Python 2.7 interpreter is used by default in Splunk Enterprise versions 8.0 and earlier for features that include:

  • Custom search commands
  • Custom REST endpoints
  • Scripted authentication
  • Scripted inputs
  • Modular inputs
  • Scripted lookups
  • Custom alert actions
  • Modular alerts
  • Cold-to-frozen scripts

Note that scripted alerts were deprecated in version 6.3 and are not supported in Python 3.7. Create a custom alert action instead. See Create custom alert actions for Splunk Cloud Platform or Splunk Enterprise in the Developer Guide on the Splunk Developer Portal.

Using Python 3-only syntax for these features might be incompatible with the Python 2.7 interpreter which will be enabled by default in the Splunk Enterprise version 8.x. Python scripts that are compatible with both Python 2 and Python 3 should work with either Python interpreter used by Splunk Enterprise, and is recommended for developers. For more information about making Python scripts dual-compatible, see Python Development in Splunk Enterprise.

Splunk Web

Unlike Splunk Enterprise version 8.x, Splunk Web supports only Python version 3.7. Any scripts that depend on Splunk Web must be upgraded to use syntax compatible with both Python 2.7 and 3.7. This will allow upgrades to 8.x from 7.x versions of Splunk Enterprise.

To prevent issues starting Splunk Web, revise apps for Python 3 compatibility. If an app cannot be upgraded, it must be removed for Splunk Web to start.

Python interpreter settings

Splunk Enterprise version 8.x includes a global setting, python.version, to specify which Python interpreter to use across an instance. The global setting resides in the server.conf file, located in $SPLUNK_HOME/etc/system/local/. The stanza that controls Python version is [general]. For more information how Splunk Enterprise uses configuration files, see About configuration files.

For Splunk Enterprise version 8.1, python.version defaults to python3 within server.conf. For prior versions of Splunk Enterprise, python.version defaults to python2.

For Splunk Enterprise version 9.x, the following settings have no impact as only Python 3 is supported. For Splunk Enterprise version 8.x, to force Splunk Enterprise to use only the Python 3 interpreter regardless of script-level setting, set python.version = force_python3. Use this setting if you cannot run Python 2.7 past its EOL date of January 1, 2020, or if your Splunk Enterprise deployment and all Splunk apps and add-ons are fully migrated and ready to run Python 3 only.

Splunk Enterprise also includes python.version settings to control which version of the Python interpreter is used by Splunk Enterprise at the script-level. For the following scripts, the python.version setting resides in the corresponding conf file:

Script type File
Custom search commands commands.conf
Modular inputs inputs.conf
Scripted inputs inputs.conf
Custom alert actions alert_actions.conf
Scripted lookups transforms.conf
Custom REST endpoints restmap.conf
Scripted authentication authentication.conf
coldToFrozenScript indexes.conf

By default, the script-level setting of python.version is not set, and the script will use the Python interpreter specified by the global setting in server.conf. Setting python.version to default or python also uses the Python interpreter specified by the global setting in server.conf. If set to python2 or python3, the corresponding Python interpreter will be used. This overrides the global setting, except if the global setting is force3, in which case Python 3 is always used.

Set python.version to python3 or default to remove Python 3 migration-related start up warnings for your impacted apps.

Apps that must be written in Python 3-only syntax should set python.version to python3 in the appropriate .conf files for individual scripts. Developers should not set python.version in server.conf. For dual-compatibility with both Python 2 and 3, set python.version to python3 in the following .conf files:

  • commands.conf
  • inputs.conf
  • restmap.conf (for custom endpoints)
  • transforms.conf (for scripted lookups)

Additional required setting of python.version specific to your app can be reported by running AppInspect. For more information, see the Splunk AppInspect tool.

Setting python.version for coldToFrozenScript applies if the canonical path to the Python interpreter is used. However, note that for coldToFrozen: 

    * scripts set executable on UNIX with a #! shebang line pointing to a valid interpreter.

If your script is specified with #! /usr/bin/env python, then python.version will be ignored for coldToFrozen. Also note that for warmToCold, this is always how the Python script is specified, so there is no applicable python.version for warmToCold.

Search and Reporting

If you have modified Splunk Search and Reporting with scripts or other customizations using Python 2, you must update these scripts to use Python 3 syntax or to be dual-compatible with both Python 2 and Python 3.

If you must maintain Python 2 compatibility, use Python compatibility libraries provided with Splunk Enterprise to help make apps and add-ons compatible with both Python 2 and Python 3. (Six, Python-future, 2to3). Splunk also updated Splunk Enterprise 7.x maintenance releases to include these Python compatibility libraries. These Splunk-provided libraries should not be used for any other apps; all custom or Splunkbase apps should package their own libraries to respect app structures.

Analytics for Hadoop and Hadoop Data Roll

Analytics for Hadoop and Hadoop Data roll do not support Python 3 in Splunk Enterprise version 8.x or 9.x. When using Hadoop with Splunk Enterprise:

  • Do not set python.version = python3 for the global python.version setting, which resides in the server.conf file.
  • Do not remove the Python 2.7 runtime. If your deployment requires the removal of Python 2.7 for security compliance reasons, contact Splunk Support.

Splunk Platform Upgrade Readiness app

Splunk provides the Splunk Platform Upgrade Readiness app for admins to scan deployed apps for any components impacted by migration to Python 3. The app is recommended to prepare for an upgrade to Splunk Enterprise version 8.x or 9.x. For more information, see the Splunk Platform Upgrade Readiness App.

Splunkbase apps and add-ons

Impacted Splunkbase apps and add ons must be resubmitted to Splunkbase after validation of compatibility with the Splunk Enterprise version 8.x or 9.x, including Python 3 testing with AppInspect. Apps that are marked compatible with Splunk Enterprise 7.x and below are Python 2.7-compatible only, while apps that are marked compatible with Splunk Enterprise 8.x or 9.x are Python 3.7-compatible only. Apps that are marked compatible with Splunk Enterprise 7.x and 8.x are compatible with both Python 2.7 and 3.7.

Last modified on 06 February, 2024
Python 3 migration with the Splunk platform   Python development with Splunk Enterprise

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters