Upgrading to Splunk 8.x and Python 2.7 End-of-Life

Release Date: 08/10/2020

Author: Frazer Brown

As we begin the run down to Splunk Enterprise 7.x end-of-support, many of you will be starting to plan your upgrade to Splunk Enterprise 8.x.  Splunk 8.x brings a number of improvements, including support for python 3.7, increased search performance, alert grouping and a number of security enhancements, so it is a worthwhile trade!

Perhaps the most important change you need to be mindful of, is support for Python 3.7.  With the Python 2.7 end-of-life back in Jan 2020 it’s time to update Python scripts so that they’re compatible with Python 3.7.  Splunk 8.x requires that apps are Python 3.7 compatible.  Splunk 8.x includes both the 2.7 and 3.7 runtimes and these can be set on a per app basis, however SplunkWeb (the appserver) is Python 3.7 only.  By default, Splunk 8.x will use the Python 2.7 runtime unless the app is written for 3.7 only.  Splunk will eventually remove support for Python 2.7 but no date has been announced yet.  The Splunk supported apps on Splunkbase have already been updated with Python 3.7 compatibility , so it’ll mostly be any 3rd party apps or those developed in-house that will need to be checked for compatibility.  If you’re updating your apps from Splunkbase to versions that support Splunk 7.x and 8.x, be sure to read the docs, there may be important changes to be aware of.

I highly recommend making your apps dual compatible with Python 2.7 and 3.7.  This will allow for a much easier upgrade process.  Apps written for Python 2.7 will only work with Splunk <7.x and apps written for Python 3.7 will only work on Splunk 8.x.  If they’re not dual compatible, you’re adding a number of additional steps and disruption to your platform upgrade.

The Splunk Platform Readiness Upgrade App (available here) can be used to check your apps and will flag components that are likely to be incompatible with the Python 3 runtime.  Also, check any custom CherryPy endpoints and Mako templates and make them dual compatible.  As always, once you’ve amended your code it’s important to validate the changes in a test environment before deploying to production.  In most cases a single instance of Splunk will be sufficient for this task.  It’s important to note that although the Platform Readiness Upgrade app will flag the mass majority of potential issues, it may not catch all of them, so be sure to audit your affected apps line by line.

The Universal Forwarder does not come bundled with Python so there is no Enterprise dependency or any prerequisites that need to be completed on your forwarders, however if you are running any apps on the forwarders that are running Python those apps will still need to be updated. 

If you require any assistance with migrating to Python 3.7, our professional services are able to assist through this process. If you are completing this migration in-house, we recommend that you plan ahead of time the order of upgrading your architecture, please use the resources available via Splunk Docs to ensure you are correctly identifying all configurations that require to be updated and you update them in the correct way. If you are a customer of Somerford Associates, we are more than happy to review your upgrade plan to ensure it is correct.

If you wish to discuss this further and are a current customer of Somerford, please contact your account manager, if you are not currently a customer but are interested in assistance for your Python migration, please get in touch.

Get Notified for New Blogs:

We post regularly on the platforms below, notifying our audience when we publish new pieces.

All views expressed on this blog are the author’s own and do not represent the opinions of any entity whatsoever with which the author 
has been, is now or will be affiliated, inc. this organisation whose website the blog is hosted on, or any partner of this organisation.

Scroll to Top