Splunk Enterprise Security

Splunk 8 python 2.7 for an app

cfcvendorsuppor
Explorer

Hello,

I'm trying to force an app to use python 2.7 on a Splunk 8 with enterprise security.

The config in server.conf is set to:
python.version = python3

With this setting my app doesn't work anymore, if I change the server.conf to: python.version = python2, it works.

But I would like to keep python3 in server.conf and force the app to use python2, I tried to add the following in the app.conf but it doesn't work:
[install]
python.version = python2

Anyone knows how to force the app to use python 2 ?

Thank you !

1 Solution

cfcvendorsuppor
Explorer

My problem is fixed, I did set "python.version = python2" in every .conf file of our app, not sure which one did the trick but I works. I was able to set back the main config to python3.

View solution in original post

gdaly_splunk
Splunk Employee
Splunk Employee

I just had to fix/re-configure for this very issue: 

There are TWO methods to successfully control the python version in Splunk 8.x.

Global (all apps by default will use this setting):
/system/local/server.conf -

[general]
python.version = python2

Note:  Your options are 

python.version = {default|python|python2|python3}


App-specific: 
 /{some app i.e. eventgen}/local/app.conf

[install]
python.version = python2

Two hints:
1)   Be very careful to place the python.version statement in the correct stanza given the .conf file (see docs for more info) 
2)   I highly recommend using the app-specific method as the global method will almost certainly cause issues with new Splunk apps (including your own) which require py3.

I hope this is helpful.
Gregg -- TMM:  Platforms, IoT, and Verticals

cfcvendorsuppor
Explorer

My problem is fixed, I did set "python.version = python2" in every .conf file of our app, not sure which one did the trick but I works. I was able to set back the main config to python3.

matthewpearce
Explorer

Actually, I found that I just needed to change my inputs.conf to force my scripted inputs to run on python 2. This worked fine when I added python.version = python2


[script://$SPLUNK_HOME/etc/apps/myapp/bin/my_app_collect_cloud.py]
python.version = python2
disabled = False
index = myindex

I needed to do this, since upgrading from 8.0.6 to 8.2.2 as the apps were forced to use python3 on scripted inputs

0 Karma

chasiubaobao
Engager

Had a similar issue with a TA-user-agents app. Fixed by adding python.version = python2 to the following file.

x:\Splunk\etc\apps\TA-user-agents\default\transforms.conf

 

 

0 Karma

rfetters
Engager

In the app conf files where you put python.version = python2, which stanzas did you use? I can't seem to get this to work for the REST API modular input. We would like to set it to python3 in server.conf, but since nothing is working in this add-on app, we are using the default settings of python2.

0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

Depending on the app version, it might not be advisable to change it. Just as an example:
https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/ES#Splunk_Enterprise_Security_v...

0 Karma

cfcvendorsuppor
Explorer

Thank you for the info, I didn't see this. ES seem to be working fine even with the python2 flag in the server.conf, I see various files in the SplunkEnterpriseSecuritySuite app with the python3 flag, so I suppose this correctly overwrite the server.conf setting. I will try to set the phython 2 flag for my app in other conf file as well to see if it help and if I cant set the main config to python3.

0 Karma

julianniemeyer
New Member

As I just posted in a thread that has yet to be approved, I have the reverse issue and I used a shell script to invoke Python 3:

/data/splunk/bin/python3.7m  /data/splunk/etc/apps/myprog/bin/myprog.py

Maybe that technique would address your issue?

0 Karma

cfcvendorsuppor
Explorer

Thank for your answer, yes it could help. Where did you set this ? Somewhere within the app ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...