Python 2’s End-of-Life is rapidly approaching, here’s what that means for your Splunk Deployment


In case you missed it, the version of Python that Splunk currently bundles and ships in Enterprise (Python 2.7) will be end-of-life January 1, 2020. How will this impact your Splunk deployment? Here's our detailed guide!

The What

Since a lot of Splunk customization can be achieved through Python, Splunk Enterprise now supports Python 3 and any Apps or Add-ons with Python 2.7 code will need to be updated to Python 3 compatibility. 

The When

Python 3 is bundled with Splunk Enterprise 8.0 which was just released at .conf at the end of October. Currently, Splunk 8.0 still ships with and defaults to Python 2.7 giving customers a migration grace period but it will ultimately be removed from 8.0 altogether. The exact date of complete removal is still TBD but Splunk plans to begin phasing out Python 2.7 in early 2020. It’s safe to say that you can plan for Splunk 7 (all versions) to reach its own end-of-life later in 2020, so upgrading to 8.0 will be a pressing initiative for all Splunk customers over the next few months. 

The Why

Okay good to know, but why should I care? Even though Python 2.7 is still supported in version 8 of Splunk it does reach end-of-life at the end of this year. This means that no improvements will be made to Python 2, even if someone finds a security problem with the product. Your organization might have guidelines against running end-of-life software in production. Also, once Python 2.7 is completely removed from Splunk 8.0, all customers will be impacted, making this something that's better to address as soon as possible. 

Next steps

So, now what? In a nutshell, your team will need to find and triage all affected components in any custom applications (on Splunkbase and/or third party apps). Once complete, you will then be able to upgrade to Enterprise 8.0.  

In order to be compatible with and upgrade to Splunk 8.0 the following are must-do’s: 

  1. Stop using to-be-removed features which include Advanced XML and Splunk Web Legacy Mode as these will not be available options in Splunk 8.0; and
  2. Make CherryPy endpoints (aka custom web controllers) and Mako templates dual compatible with Python 2 and 3. These are both required because they rely on Splunk’s appserver which can only support one Python runtime (currently Python 2.7).

Why dual compatibility instead of Python 3 only? Splunk is encouraging customers to update these components on current versions of Enterprise and Python 3 will not work on Splunk 7. Therefore, dual compatibility will allow customers to upgrade on current versions of Splunk and then migrate or upgrade to Splunk 8.0 without having to worry about breakage. 

In addition to the above, it’s strongly recommended for in-house and Splunkbase App/Add-on developers to make custom Python scripts (i.e., Custom Search Commands; Custom REST Endpoints; Scripted Inputs, Lookups, Authentication; Modular Inputs; Custom Alert Actions; and others) dual compatible with Python 2 and 3. These scripts will work out-of-the-box using Python 2 in Splunk 8.0, however, ensuring dual compatibility is recommended because users with strict software support requirements will be upgrading from 2 to 3 as soon as possible. 

Bottom line: make these components dual compatible now so that you don’t struggle with updating to Splunk 8.0 later. Another reason not to write in Python 3 only: scripts like Custom Search Commands and Lookups will fail if your app’s customers are not yet upgraded to Splunk 8.0.

Helpful Tools

Fortunately, our friends at Splunk are offering the following tools to help with your Python migration needs:

  1. The Splunk Platform Upgrade Readiness App: This is meant for apps at scale and will scan an instance and return impacted features and scripts to help identify impacted components and advise necessary resolutions.  
  2. AppInspect: This is a tool for app developers to verify that their Splunk apps meet Splunk standards and best practices. The latest version of AppInspect will also provide feedback about Python 3 compatibility.

Hopefully this helps to clarify any looming questions you may have regarding Splunk’s transition to Python 3. For the latest/greatest and more detailed guidelines about upgrading and best practices head over to Splunk’s Documentation

If you still have questions, are low on time/resources to ensure required compatibility, or are just plain overwhelmed by the thought of it, don’t hesitate to reach out! Send me a quick email or comment below. We’re happy to make this process a painless one for you and your team.


Subscribe to Our Newsletter

Stay In Touch