Splunk Cloud Platform

python code not working after declaring python3

DataOrg
Builder

external script was working in python2x version but after forcing to use pythion3, its return with error code 1. python script.

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
import StringIO

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO.StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO.StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

@kamlesh_vaghela

 

[xmlformat]
filename = xmlformat.py
retainsevents = true
overrides_timeorder = false
run_in_preview = false
streaming = true
python.version = python3

 

 

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg 

Your provided script is not compatible with python3. You can validate by executing below command. It will execute script and gives you appropriate error. 

/opt/splunk/bin/splunk cmd python3 /opt/splunk/etc/apps/MyApp/bin/myscript.py

 

I did the same for you. Can you please try below script?

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
try:
    from StringIO import StringIO ## for Python 2
except ImportError:
    from io import StringIO ## for Python 3

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

Happy Splunking

KV

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg 

Your provided script is not compatible with python3. You can validate by executing below command. It will execute script and gives you appropriate error. 

/opt/splunk/bin/splunk cmd python3 /opt/splunk/etc/apps/MyApp/bin/myscript.py

 

I did the same for you. Can you please try below script?

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
try:
    from StringIO import StringIO ## for Python 2
except ImportError:
    from io import StringIO ## for Python 3

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

Happy Splunking

KV

DataOrg
Builder

@kamlesh_vaghela thanks for the help and teaching for debugging the code . awesome

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg  let me check it. BTW Which Splunk version you are using? Splunk 8.0.5 or higher?

0 Karma

DataOrg
Builder

@kamlesh_vaghela  splunk cloud version is 

Version:8.0.2007.1

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...