Starting from 1st January 2020, Python version 2.x is deprecated. Several functions which were running fine on Python2 are not working anymore with Python3. The announcement can be found here.
Splunk is requesting all developers, who published a Splunk app, to make their modular input or other scripts work, either with Python 3 or both versions.
For my Splunk application “PCAP Analyzer For Splunk” I am running a python script for the modular input. With the modular input every user of my app, can define the location of his / her choice.
Over the last years the script was working with Splunk running Python2. The last days I’ve changed the script, that it supports Splunk environments running on Python2 and Python3.
Modular Input Script
With the help of the developer documentation, the script looks like this now:
import os import sys import logging from splunklib.modularinput import * class MyScript(Script): def get_scheme(self): scheme = Scheme("PCAP File Location") scheme.description = "Location of PCAP files to be analyzed" scheme.use_external_validation = True scheme.use_single_instance = False path_argument = Argument("path") path_argument.data_type = Argument.data_type_string path_argument.description = "Please specify the full path of the PCAP file location" path_argument.required_on_create = True scheme.add_argument(path_argument) return scheme def validate_input(self, validation_definition): path = str(validation_definition.parameters["path"]) if len(path) < 1 : raise ValueError("Please specify a path!") def stream_events(self, inputs, ew): if (sys.version_info > (3, 0)): for input_name, input_item in inputs.inputs.items(): path = str(input_item["path"]) event = Event() event.stanza = input_name event.data = 'path="%s"' ew.write_event(event) else: for input_name, input_item in inputs.inputs.iteritems(): path = str(input_item["path"]) event = Event() event.stanza = input_name event.data = 'path="%s"' ew.write_event(event) if __name__ == "__main__": sys.exit(MyScript().run(sys.argv))
My problem has been in the stream_events function. With Python3 dict.iteritems() cannot be used anymore. Instead, you have to use dict.items(). With the help of the If-statement if (sys.version_info > (3, 0)), I was able to make the modular input work with Python2 and Python3.
To understand which version of Python, your Splunk instance is running, you can use the following command:
$SPLUNK_HOME/bin/splunk cmd python -V
# /opt/splunk/bin/splunk cmd python -V Python 2.7.17
To force your Splunk instance to use Python3, you can change the server.conf file located in $SPLUNK_HOME/etc/system/local and add the following parameter:
python.version = python3
Feel free to contact me in case you see an error or have other questions. If you are a new reader, check out my Start Here page.