Should I Migrate my Splunk Environment to Python 3? Yes…No…Yes!!!

Splunk released version 8.0 in Oct 2019, and also announced the much-anticipated Support for Python3.  In the current release, Splunk has kept both the Python 2 and Python 3 interpreters, with Python 2 as the default choice, which makes perfect sense.

Splunk has also released documents for the Python 3 migration along with recommendations and tips around migration.   Still the decision remains yours about sticking with Python 2 or migrating to Python 3.

This article is driven by the various questions we’ve received from our customers after the Splunk 8.0 release, and our findings from various  Splunk environments.  So, we decided to come up with the practical approach for Python 3 migration.

Before we go through the recommended steps for Python3 migration, let’s first debunk some of the myths regarding Splunk 8.0 and Python3.

Myth 1. Upgrading your environment to Splunk 8.0 also means migrating to Python 3.

That’s not completely true. Splunk has migrated Splunk Web to Python 3 internally.  As long as you don’t have any custom web controllers (like CherryPy) endpoints and custom Mako templates in your existing environment, you can still stick with Python 2 after upgrading splunk to 8.0.  Chances are very low of having these features in your environment unless your Splunk Admin has decent programming knowledge, and spirit of adventure.  In fact, Splunk has provided you some runway in Splunk 8.0 for the Python 3 migration. You have a reasonable amount of time before you take off to the Python3 world.

Myth 2. Your current environment is running perfectly with Python 2, so you don’t need to take on the pain of a Python 3 migration. 

This is true if you are the person who doesn’t care and don’t owe an answer to anyone. Keep in mind that Python 2 has come to an end of life on Jan 1, 2020 and is no longer supported. Any new bugs found in Python2 will not be fixed going forward.  Your CISO would not like the idea of running Splunk environment on unsupported software version for long. If you are following Security compliance, you will have to switch to Python 3 to meet compliance requirements.

Splunk will eventually end support for Python 2. So, to get all the benefits of new features with the latest versions of Splunk and also ease of getting help from Splunk support for any issues, you have to upgrade your Splunk environment sooner or later.

Myth 3. Your environment (python scripts actually) can be either Python 2 compatible or Python 3 but not both.

It’s true that Python 3.x is not backward compatible.  However, you can have your Splunk environment compatible with both Python 2 and 3. Splunk has provided enough guidelines and resources for that here. Still, you may not have complete control over this decision based on the App and Add-ons you have deployed. But the point is dual compatibility is possible.

The reality is that you will not likely upgrade all your applications to Python 3 at once.  The reason is you likely have a mix of apps developed and supported by Splunk, vendors, partners, and developers etc.  And, it’s fair to say not all the apps are currently upgraded for Dual Compatibility or support Python3.

For example, Splunk Premium App Enterprise Security latest version 6.0 is not fully compatible with Python 3 and you have no choice but to run it with Python 2.

Nevertheless, you should assess where you stand today. Keep working in the direction for migration and eventually migrate to Python 3 when upgrading your environment to 8.x in future.

Below are the recommended steps for this migration process.

Step 1. Install Splunk Platform Upgrade Readiness App on a standalone Splunk test instance (7.X). You can find the app here.

Step 2. Install all the apps and add-ons on the test Splunk instance, and run a scan against your apps from the Upgrade Readiness app. You have a choice to run a separate scan for Splunkbase apps, and any private/in-house apps.  The scan results will give you a detailed description if any app is going to break after upgrade to Splunk 8.0. This includes detection of Advance XML and Legacy Splunk web issues.  The scan will give you warnings for the python scripts that are not dual compatible.  In fact, it would identify the code block which is not dual compatible.

You can see one such instance in this screenshot. 

Step 3. You will need to resolve all the failure and warning messages regarding Python 3 compatibility for your homegrown  applications. Splunk has provided guidelines for that here.

Step 4. You may want to reach out to the respective owner/developer of Splunkbase apps and check with them regarding their plans and ETA for Python3 compatibility.

Step 5. Once you make sure that you have all of your Apps and Add-ons compatible with Python3 and there are no warnings or failures reported by Splunk Upgrade Readiness scan, you should upgrade your test instance to 8.x and make a system level change ($SPLUNK_HOME/etc/system/local/server.conf) to tell Splunk to run everything on Python 3. Splunk has provided a detailed document for the upgrade and migration here, which you should definitely check out.

Step 6. If there are no errors/issue post upgrade and Python3 migration, you are good to go for actual Splunk production environment upgrade.

The good news is that you are not forced to migrate to Python 3 with Splunk 8.  Still, you will need to be diligent about which applications and add-ons are migrating and assess your organization’s position on running on an unsupported version of Python.  Splunk has provided the documentation and tools to guide you through this process.

From Planning to Optimization, Aditum can help. 

You know Splunk can be a major contributor to your organization’s success.  How do you make sure you’re getting the value from your Splunk investment?

Aditum’s Success Plan for Splunk gives you monthly access to senior consultants, who will work with you as you optimize your organization’s Splunk usage and plan for expansion and migration.  It’s like having an experienced co-pilot to help you navigate your Splunk journey.

Aditum’s Splunk Managed Services takes the burden of administering Splunk off your hands.  We’ll take care of the details and give you a partner in driving Splunk adoption and expansion in your organization.

Want to know more?  Give us a call at (727) 240-3603 or drop us an email.

Pankaj Varjani
Share this Article