Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Encountered Winrm module not present issue on Splunk cloud for custom alert action.

Prajwal_Kasar
Explorer
‎04-16-2025 11:10 PM

Hello Folks,

I'm encountering an issue with Splunk Cloud where it indicates that the winrm module is not found. I'm attempting to install and run a custom alert action packaged Python application that uses winrm to establish a remote connection to a target server for cleanup processes. However, after installation and testing, I discovered that winrm is not installed in the Splunk Cloud environment used by our organization. Is there any workaround to achieve this and proceed further?

Issue:

ModuleNotFoundError:No module named 'winrm

Script block that uses winrm:

import winrm
import sys
import argparse
import os

def clean_old_files(TargetServer, FolderPath, FileThresholdInMinutes, UserName, Password):
# Initialize return values
deleted_files = []
deleted_count = 0

#print(f"Connecting to server: {TargetServer}...")
#remove above print statement in next deployment.

try:
# Establish a WinRM session
session = winrm.Session(TargetServer, auth=(UserName, Password), transport='ntlm')



#splunkcloud Splunk ITSI Module for Application Performance Monitoring 

Splunk ITSI Module for Application Performance Monitoring
Thumbnail of Splunk ITSI Module for Application Performance Monitoring
Splunk ITSI Module for Application Performance Monitoring
View in Splunkbase
Labels (1)
Labels
0 Karma
Reply

Prajwal_Kasar
Explorer
‎04-24-2025 06:45 AM

Thank you @livehybrid ,

It did work after installing compatible version for urllib3, However now when I try testing the running the app, I am facing a new issue which says:

'Error: HTTPConnectionPool(host='icia-mesapp1oc.na.pg.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f432b936c40>: Failed to establish a new connection: [Errno -2] Name or service not known'))'

I have added all the possible compatible modules and dependencies. 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-16-2025 11:24 PM

Hi @Prajwal_Kasar

1. Include the WinRM library (and its dependencies) in your app bundle before installing it on Splunk Cloud.

#Within your app
mkdir lib
pip install --target=lib winrm

2. Prepend lib to sys.path in your alert script

# bin/alert_winrm.py - For example
import os, sys
vendor_dir = os.path.join(os.path.dirname(__file__), "../lib")
sys.path.insert(0, vendor_dir)
import winrm

def clean_old_files(TargetServer, FolderPath, FileThresholdInMinutes, UserName, Password):
    session = winrm.Session(TargetServer, auth=(UserName, Password), transport='ntlm')
    # … your cleanup logic …

if __name__ == "__main__":
    # parse args and call clean_old_files()

 

3. Package & deploy as you would normally

4. Note

  • WinRM’s may require additional deps (requests, xmltodict, six) but I think pip should install these.
  • Ensure Splunk Cloud can reach your Windows host on port 5985/5986 - this can be managed with ACS.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

Prajwal_Kasar
Explorer
‎04-22-2025 11:21 AM

Thank you @livehybrid  for the above solution.
However, Now when I have added the winrm in app directory and deployed on Splunk Cloud, I am getting a new issue 

ImportError: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2zk-fips  3 Sep 2024'. See: https://github.com/urllib3/urllib3/issues/2168]



And below is how i am importing the winrm

import argparse
import os
import sys
lib_dir = os.path.abspath(os.path.join(os.path.dirname(__file__),'..','lib'))
sys.path.insert(0,lib_dir)
import winrm


def clean_old_files(TargetServer, FolderPath, FileThresholdInMinutes, UserName, Password):

Please guide me how i can overcome this issue.



 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-22-2025 02:56 PM

Hi @Prajwal_Kasar 

This means that urllib3 v2.x is not compatible with the version of OpenSSL (1.0.2) installed in your Splunk Cloud Python environment. Even though you may have bundled your own libraries, you can't change the underlying OpenSSL on Splunk Cloud. 

urllib3 v2.0+ dropped support for OpenSSL < 1.1.1 however many environments (including Splunk Cloud's Python and underlying OS) still use OpenSSL 1.0.2.
To fix this you need to Pin urllib3 to v1.x

I would try and install a specific urllib3 package 1.26.18 into your lib/deps folder along with winrm, as 1.26.18 supports OpenSSL 1.0.2.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply

Esky73
Builder
‎11-12-2025 03:03 AM

Thanks this fixed my issue importing an SDK into an app

pip install urllib3==1.26.18 --target /opt/splunk/etc/apps/<myApp>/bin --upgrade
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...