- #516 Added support for macros
- Remove deprecated
wrap_socket
inContex
class. - Added explicit support for self signed certificates in https
- Enforce minimal required tls version in https connection
- Add support for python 3.13
- #559 Add exception logging
- Added six.py file back
- #567 Moved "deprecation" dependency
ensure_binary
,ensure_str
andassert_regex
utility methods have been migrated fromsix.py
tosplunklib/utils.py
- Removed code specific to Python 2
- Removed six.py dependency
- Removed
__future__
imports - Refactored and Updated
splunklib
andtests
to utilize Python 3 features - Updated CI test matrix to run with Python versions - 3.7 and 3.9
- Refactored Code throwing
deprecation
warnings - Refactored Code violating Pylint rules
- #527 Added check for user roles
- Fix to access the metadata "finished" field in search commands using the v2 protocol
- Fix for error messages about ChunkedExternProcessor in splunkd.log for Custom Search Commands
- #532 Update encoding errors mode to 'replace' [issue#505]
- #507 Masked sensitive data in logs [issue#506]
- #530 Update GitHub CI build status in README and removed RTD(Read The Docs) reference
- #493 Fixed file permission for event_writer.py file [issue#487]
- #500 Replaced index_field with accelerated_field for kvstore [issue#497]
- #502 Updated check for IPv6 addresses
- #490 Added ACL properties update feature
- #495 Added Splunk 8.1 in GitHub Actions Matrix
- #485 Added test case for cookie persistence
- #503 README updates on accessing "service" instance in CSC and ModularInput apps
- #504 Updated authentication token names in docs to reduce confusion
- #494 Reuse splunklib.version in handler.request
- #482 Special handling related to the semantic versioning of specific Search APIs functional in Splunk Enterprise 9.0.2 and (Splunk Cloud 9.0.2209). These SDK changes will enable seamless transition between the APIs based on the version of the Splunk Enterprise in use
- #466 Tests for CSC apps
- #467 Added 'kwargs' parameter for Saved Search History function
- #475 README updates
- #468 SDK Support for splunkd search API changes
- #463 Preserve third-party cookies
- #444 Update tox.ini
- #446 Release workflow refactor
- #448 Documentation changes
- #450 Removed examples and it's references from the SDK
- #441 JSONResultsReader added and deprecated ResultsReader
- Pre-requisite: Query parameter 'output_mode' must be set to 'json'
- Improves performance by approx ~80-90%
- ResultsReader is deprecated and will be removed in future releases (NOTE: Please migrate to JSONResultsReader)
- #437 Added setup_logging() method in splunklib for logging
- #426 Added new github_commit modular input example
- #392 Break out search argument to option parsing for v2 custom search commands
- #384 Added Float parameter validator for custom search commands
- #371 Modinput preserve 'app' context
- #439 Modified POST method debug log to not log sensitive body/data
- #431 Add distsearch.conf to Stream Search Command examples [ issue#418 ]
- #419 Hec endpoint issue[ issue#345 ]
- #416 Removed strip() method in load_value() method from data.py file [ issue#400 ]
- #148 Identical entity names will cause an infinite loop
- #440 Github release workflow modified to generate docs
- #430 Fix indentation in README
- #429 Documented how to access modular input metadata
- #427 Replace .splunkrc with .env file in test and examples
- #424 Float validator test fix
- #423 Python 3 compatibility for ResponseReader.str()
- #422 ordereddict and all its reference removed
- #421 Update README.md
- #387 Update filter.py
- #331 Fix a couple of warnings spotted when running python 2.7 tests
- #330 client: use six.string_types instead of basestring
- #329 client: remove outdated comment in Index.submit
- #262 Properly add parameters to request based on the method of the request
- #237 Don't output close tags if you haven't written a start tag
- #149 "handlers" stanza missing in examples/searchcommands_template/default/logging.conf
- #405 Fix searchcommands_app example
- #406 Fix mod inputs examples
- #407 Fixed issue with Streaming and Generating Custom Search Commands dropping fields that aren't present in the first row of results. More details on how to opt-in to this fix can be found here: https://github.com/splunk/splunk-sdk-python/blob/develop/README.md#customization [ issue#401 ]
- #408 Add search mode example
- #409 Add Support for authorization tokens read from .splunkrc [ issue#388 ]
- #413 Default kvstore owner to nobody [ issue#231 ]
- #383 Implemented the possibility to provide a SSLContext object to the connect method
- #396 Updated KVStore Methods to support dictionaries
- #397 Added code changes for encoding '/' in _key parameter in kvstore.data APIs.
- #398 Added dictionary support for KVStore "query" methods.
- #402 Fixed regression introduced in 1.6.15 to once again allow processing of empty input records in custom search commands (fix #376)
- #404 Fixed test case failure for 8.0 and latest(8.2.x) splunk version
- #381 Updated current year in conf.py
- #389 Fixed few typos
- #391 Fixed spelling error in client.py
- #393 Updated development status past 3
- #394 Updated Readme steps to run examples
- #395 Updated random_number.py
- #399 Moved CI tests to GitHub Actions
- #403 Removed usage of Easy_install to install SDK
#312 Fix issue #309, avoid catastrophic backtracking in searchcommands
- #301 Fix chunk synchronization
- #327 Rename and cleanup follow-up for chunk synchronization
- #352 Allow supplying of a key-value body when calling Context.post()
- #350 Initial end-to-end tests for streaming, reporting, generating custom search commands
- #348 Update copyright years to 2020
- #346 Readme updates to urls, terminology, and formatting
- #317 Fix deprecation warnings
SearchCommand
now correctly supports multibyte characters in Python 3.
- Fixed regression in mod inputs which resulted in error ’file' object has no attribute 'readable’, by not forcing to text/bytes in mod inputs event writer any longer.
- Minor updates to the splunklib search commands to support Python 3
- Added Bearer token support using Splunk Token in v7.3
- Made modinput text consistent
- Changed permissions from 755 to 644 for Python files to pass Appinspect checks
- Removed version check on ssl verify toggle
- Fix custom search command V2 failures on Windows for Python 3
- Fix long type gets wrong values on Windows for Python 2
- Fix buffered input in Python 3
- Fix custom search command on Python 3 on Windows
- Updated the Splunk Enterprise SDK for Python to work with the Python 3 version of Splunk Enterprise on Windows
- Improved the performance of deleting/updating an input
- Added logging to custom search commands app to showcase how to do logging in custom search commands by using the Splunk Enterprise SDK for Python
- Fix ssl verify to require certs when true
- Make the explorer example compatible w/ Python 3
- Add full support for unicode in SearchCommands
- Add return code for invalid_args block
- Fixed XML responses to not throw errors for unicode characters.
Not Applicable
- Changed
splunklib/binding.py
Context class' constructor initialization to support default settings for encrypted http communication when creating the HttpLib object that it depends on. This is extracted from the keyword dictionary that is provided for its initializaiton. Encryption defaults to enabled if not specified. - Changed
splunklib/binding.py
HttpLib class constructor to include theverify
parameter in order to support default encryption if the default handler is being used. Encryption defaults to enabled if not specified. - Changed
splunklib/binding.py
handler
function to include theverify
parameter in order to support default encryption. - Changed
splunklib/binding.py
handler
's nestedconnect
function to create the context in as unverified if specified by theverify
parameter.
Not Applicable
- Changed
examples/searchcommands_app/package/bin/filter.py
FilterCommand.update doc-string frommap
toupdate
in order to align with Splunk search changes. - Changed
examples/searchcommands_app/package/default/searchbnf.conf
[filter-command].example1 from themap
keyword to theupdate
keyword in order to align with Splunk search changes. - Changed
splunklib/binding.py
Context class' doc-string to include theverify
parameter and type information related to the new keyword dictionary parameterverify
. - Changed
splunklib/binding.py
handler
function's doc-string to include theverify
parameter and type information related to the parameterverify
. - Changed
splunklib/client.py
connect
function doc-string to include theverify
parameter and type information related to the new keyword dictionary parameterverify
. - Changed
splunklib/client.py
Service
Class' doc-string to include theverify
parameter and type information related to the new keyword dictionary parameterverify
.
- Support for Python 3.x has been added for external integrations with the Splunk platform. However, because Splunk Enterprise 7+ still includes Python 2.7.x, any apps or scripts that run on the Splunk platform must continue to be written for Python 2.7.x.
The following bugs have been fixed:
-
Search commands error -
ERROR ChunkedExternProcessor - Invalid custom search command type: eventing
. -
Search commands running more than once for certain cases.
-
Search command protocol v2 inverting the
distributed
configuration flag.
-
Use relative imports throughout the SDK.
-
Performance improvement when constructing
Input
entity paths.
-
Fixed Search Commands exiting if the external process returns a zero status code (Windows only).
-
Fixed Search Command Protocol v2 not parsing the
maxresultrows
andcommand
metadata properties. -
Fixed double prepending the
Splunk
prefix for authentication tokens. -
Fixed
Index.submit()
for namespacedService
instances. -
Fixed uncaught
AttributeError
when accessingEntity
properties (GitHub issue #131).
- Fixed broken tests due to expired SSL certificate.
-
Added support for KV Store.
-
Added support for HTTP basic authentication (GitHub issue #117).
-
Improve support for HTTP keep-alive connections (GitHub issue #122).
-
Fixed Python 2.6 compatibility (GitHub issue #141).
-
Fixed appending restrictToHost to UDP inputs (GitHub issue #128).
-
Added support for Travis CI.
-
Updated the default test runner.
-
Removed shortened links from documentation and comments.
-
Added support for the new experimental Search Command Protocol v2, for Splunk 6.3+.
Opt-in by setting
chunked = true
in commands.conf. Seeexamples/searchcommands_app/package/default/commands-scpv2.conf
. -
Added support for invoking external search command processes.
See
examples/searchcommands_app/package/bin/pypygeneratext.py
. -
Added a new search command type: EventingCommand is the base class for commands that filter events arriving at a search head from one or more search peers.
See
examples/searchcommands_app/package/bin/filter.py
. -
Added
splunklib
logger so that command loggers can be configured independently of thesplunklib.searchcommands
module.See
examples/searchcommands_app/package/default/logger.conf
for guidance on logging configuration. -
Added
splunklib.searchcommands.validators.Match
class for verifying that an option value matches a regular expression pattern.
-
GitHub issue 88:
splunklib.modularinput
,<done/>
written even whendone=False
. -
GitHub issue 115:
splunklib.searchcommands.splunk_csv.dict_reader
raisesKeyError
whensupports_multivalues = True
. -
GitHub issue 119:
None
returned in_load_atom_entries
. -
Various other bug fixes/improvements for Search Command Protocol v1.
-
Various bug fixes/improvements to the full splunklib test suite.
-
Added support for cookie-based authentication, for Splunk 6.2+.
-
Added support for installing as a Python egg.
-
Added a convenience
Service.job()
method to get aJob
by its sid.
-
Restored support for Python 2.6 (GitHub issues #96 & #114).
-
Fix
SearchCommands
decorators andValidator
classes (GitHub issue #113). -
Fix
SearchCommands
bug iterating overNone
indict_reader.fieldnames
(GitHub issue #110). -
Fixed JSON parsing errors (GitHub issue #100).
-
Retain the
type
property when parsing Atom feeds (GitHub issue #92). -
Update non-namespaced server paths with a
/services/
prefix. Fixes a bug where setting theowner
and/orapp
on aService
could produce 403 errors on some REST API endpoints. -
Modular input
Argument.title
is now written correctly. -
Client.connect
will now always return aService
instance, even if user credentials are invalid. -
Update the
saved_search/saved_search.py
example to handle saved searches with names containing characters that must be URL encoded (ex:"Top 5 sourcetypes"
).
-
Update modular input examples with readable titles.
-
Improvements to
splunklib.searchcommands
tests. -
Various docstring and code style corrections.
-
Updated some tests to pass on Splunk 6.2+.
- Hot fix to
binding.py
to work with Python 2.7.9, which introduced SSL certificate validation by default as outlined in PEP 476. - Update
async
,handler_proxy
, andhandler_urllib2
examples to work with Python 2.7.9 by disabling SSL certificate validation by default.
-
Added support for Storage Passwords.
-
Added a script (GenerateHelloCommand) to the searchcommand_app to generate a custom search command.
-
Added a human-readable argument titles to modular input examples.
-
Renamed the searchcommand
csv
module tosplunk_csv
.
-
Now entities that contain slashes in their name can be created, accessed and deleted correctly.
-
Fixed a performance issue with connecting to Splunk on Windows.
-
Improved the
service.restart()
function.
-
Improved error handling in custom search commands
SearchCommand.process now catches all exceptions and
-
Writes an error message for display in the Splunk UI.
The error message is the text of the exception. This is new behavior.
-
Logs a traceback to SearchCommand.logger. This is old behavior.
-
-
Made ResponseReader more streamlike, so that it can be wrapped in an io.BufferedReader to realize a significant performance gain.
Example usage
import io ... response = job.results(count=maxRecords, offset=self._offset) resultsList = results.ResultsReader(io.BufferedReader(response))
-
The results reader now catches SyntaxError exceptions instead of
xml.etree.ElementTree.ParseError
exceptions.ParseError
wasn't introduced until Python 2.7. This masked the root cause of errors data errors in result elements. -
When writing a ReportingCommand you no longer need to include a map method.
-
Addressed a problem with autologin and added test coverage for the use case.
See
ServiceTestCase.test_autologin
in tests/test_service.py.
-
Added features for building custom search commands in Python
-
Access Splunk Search Results Info.
See the
SearchCommand.search_results_info
property. -
Communicate with Splunk.
See the
SearchCommand.service
property. -
Control logging and view command configuration settings from the Splunk command line
-
The
logging_configuration
option lets you pick an alternative logging configuration file for a command invocation. -
The
logging_level
option lets you set the logging level for a command invocation. -
The
show_configuration
option writes command configuration settings to the Splunk Job Inspector.
-
-
Get a more complete picture of what's happening when an error occurs
Command error messages now include a full stack trace.
-
Enable the Splunk Search Assistant to display command help.
See
examples/searchcommands_app/default/searchbnf.conf
-
Write messages for display by the job inspector.
See
SearchCommand.messages
.
-
-
Added a feature for building modular inputs.
-
Communicate with Splunk.
See the
Script.service
property.
-
-
When running
setup.py dist
without runningsetup.py build
, there is no longer aNo such file or directory
error on the command line, and the command behaves as expected. -
When setting the sourcetype of a modular input event, events are indexed properly.
Previously Splunk would encounter an error and skip them.
- Better code documentation and unit test coverage.
- Added support for building custom search commands in Python using the Splunk SDK for Python.
-
When running
setup.py dist
without runningsetup.py build
, there is no longer aNo such file or directory
error on the command line, and the command behaves as expected. -
When setting the sourcetype of a modular input event, events are indexed properly. Previously Splunk would encounter an error and skip them.
- If modular inputs were not being indexed by Splunk because a sourcetype was set (and the SDK was not handling them correctly), they will be indexed upon updating to this version of the SDK.
-
Docstring corrections in the modular input examples.
-
A minor docstring correction in
splunklib/modularinput/event_writer.py
.
- Added support for building modular input scripts in Python using the Splunk SDK for Python.
-
Added 2 modular input examples:
Github forks
andrandom numbers
. -
Added a
dist
command tosetup.py
. Runningsetup.py dist
will generate 2.spl
files for the new modular input example apps. -
client.py
in thesplunklib
module will now restart Splunk via an HTTP post request instead of an HTTP get request. -
.gitignore
has been updated to ignorelocal
andmetadata
subdirectories for any examples.
-
An
AuthenticationError
exception has been added. This exception is a subclass ofHTTPError
, so existing code that expects HTTP 401 (Unauthorized) will continue to work. -
An
"autologin"
argument has been added to thesplunklib.client.connect
andsplunklib.binding.connect
functions. When set to true, Splunk automatically tries to log in again if the session terminates. -
The
is_ready
andis_done
methods have been added to theJob
class to improve the verification of a job's completion status. -
Modular inputs have been added (requires Splunk 5.0+).
-
The
Jobs.export
method has been added, enabling you to run export searches. -
The
Service.restart
method now takes a"timeout"
argument. If a timeout period is specified, the function blocks until splunkd has restarted or the timeout period has passed. Otherwise, if a timeout period has not been specified, the function returns immediately and you must check whether splunkd has restarted yourself. -
The
Collections.__getitem__
method can fetch items from collections with an explicit namespace. This example shows how to retrieve a saved search for a specific namespace:from splunklib.binding import namespace ns = client.namespace(owner='nobody', app='search') result = service.saved_searches['Top five sourcetypes', ns]
-
The
SavedSearch
class has been extended by adding the following:- Properties:
alert_count
,fired_alerts
,scheduled_times
,suppressed
- Methods:
suppress
,unsuppress
- Properties:
-
The
Index.attached_socket
method has been added. This method can be used inside awith
block to submit multiple events to an index, which is a more idiomatic style than using the existingIndex.attach
method. -
The
Indexes.get_default
method has been added for returnings the name of the default index. -
The
Service.search
method has been added as a shortcut for creating a search job. -
The
User.role_entities
convenience method has been added for returning a list of role entities of a user. -
The
Role
class has been added, including thegrant
andrevoke
convenience methods for adding and removing capabilities from a role. -
The
Application.package
andApplication.updateInfo
methods have been added.
-
Job
objects are no longer guaranteed to be ready for querying. Client code should call theJob.is_ready
method to determine when it is safe to access properties on the job. -
The
Jobs.create
method can no longer be used to create a oneshot search (with"exec_mode=oneshot"
). Use theJobs.oneshot
method instead. -
The
ResultsReader
interface has changed completely, including:- The
read
method has been removed and you must iterate over theResultsReader
object directly. - Results from the iteration are either
dict
s or instances ofresults.Message
.
- The
-
All
contains
methods on collections have been removed. Use Python'sin
operator instead. For example:# correct usage 'search' in service.apps # incorrect usage service.apps.contains('search')
-
The
Collections.__getitem__
method throwsAmbiguousReferenceException
if there are multiple entities that have the specified entity name in the current namespace. -
The order of arguments in the
Inputs.create
method has changed. Thename
argument is now first, to be consistent with all other collections and all other operations onInputs
. -
The
ConfFile
class has been renamed toConfigurationFile
. -
The
Confs
class has been renamed toConfigurations
. -
Namespace handling has changed and any code that depends on namespace handling in detail may break.
-
Calling the
Job.cancel
method on a job that has already been cancelled no longer has any effect. -
The
Stanza.submit
method now takes adict
instead of a raw string.
-
Collection listings are optionally paginated.
-
Connecting with a pre-existing session token works whether the token begins with 'Splunk ' or not; the SDK handles either case correctly.
-
Documentation has been improved and expanded.
-
Many small bugs have been fixed.
- Improvements to entity state management
- Improvements to usability of entity collections
- Support for collection paging - collections now support the paging arguments:
count
,offset
,search
,sort_dir
,sort_key
andsort_mode
. Note thatInputs
andJobs
are not pageable collections and only support basic enumeration and iteration. - Support for event types:
- Added Service.event_types + units
- Added examples/event_types.py
- Support for fired alerts:
- Added Service.fired_alerts + units
- Added examples/fired_alerts.py
- Support for saved searches:
- Added Service.saved_searches + units
- Added examples/saved_searches.py
- Sphinx based SDK docs and improved source code docstrings.
- Support for IPv6 - it is now possible to connect to a Splunk instance listening on an IPv6 address.
The core module was renamed from splunk
to splunklib
. The Splunk product
ships with an internal Python module named splunk
and the name conflict
with the SDK prevented installing the SDK into Splunk Python sandbox for use
by Splunk extensions. This module name change enables the Python SDK to be
installed on the Splunk server.
The client module was modified to enable Entity state caching which required
changes to the Entity
interface and changes to the typical usage pattern.
Previously, entity state values where retrieved with a call to Entity.read
which would issue a round-trip to the server and return a dictionary of values
corresponding to the entity content
field and, in a similar way, a call to
Entity.readmeta
would issue in a round-trip and return a dictionary
contianing entity metadata values.
With the change to enable state caching, the entity is instantiated with a copy of its entire state record, which can be accessed using a variety of properties:
Entity.state
returns the entire state recordEntity.content
returns the content field of the state recordEntity.access
returns entity access metadataEntity.fields
returns entity content metadata
Entity.refresh
is a new method that issues a round-trip to the server
and updates the local, cached state record.
Entity.read
still exists but has been changed slightly to return the
entire state record and not just the content field. Note that read
does
not update the cached state record. The read
method is basically a thin
wrapper over the corresponding HTTP GET that returns a parsed entity state
record instaed of the raw HTTP response.
The entity callable returns the content
field as before, but now returns
the value from the local state cache instead of issuing a round-trip as it
did before.
It is important to note that refreshing the local state cache is always
explicit and always requires a call to Entity.refresh
. So, for example
if you call Entity.update
and then attempt to retrieve local values, you
will not see the newly updated values, you will see the previously cached
values. The interface is designed to give the caller complete control of
when round-trips are issued and enable multiple updates to be made before
refreshing the entity.
The update
and action methods are all designed to support a fluent style
of programming, so for example you can write:
entity.update(attr=value).refresh()
And
entity.disable().refresh()
An important benefit and one of the primary motivations for this change is that iterating a collection of entities now results in a single round-trip to the server, because every entity collection member is initialized with the result of the initial GET on the collection resource instead of requiring N+1 round-trips (one for each entity + one for the collection), which was the case in the previous model. This is a significant improvement for many common scenarios.
The Collection
interface was changed so that Collection.list
and the
corresponding collection callable return a list of member Entity
objects
instead of a list of member entity names. This change was a result of user
feedback indicating that people expected to see eg: service.apps()
return
a list of apps and not a list of app names.
Previously the binding context (binding.Context
) and all tests & samples took
a single (optional) namespace
argument that specified both the app and owner
names to use for the binding context. However, the underlying Splunk REST API
takes these as separate app
and owner
arguments and it turned out to be more
convenient to reflect these arguments directly in the SDK, so the binding
context (and all samples & test) now take separate (and optional) app
and
owner
arguments instead of the prior namespace
argument.
You can find a detailed description of Splunk namespaces in the Splunk REST API reference under the section on accessing Splunk resources at:
- Update all classes in the core library modules to use new-style classes
- Rename Job.setpriority to Job.set_priority
- Rename Job.setttl to Job.set_ttl
- Fix for GitHub Issues: 2, 10, 12, 15, 17, 18, 21
- Fix for incorrect handling of mixed case new user names (need to account for fact that Splunk automatically lowercases)
- Fix for Service.settings so that updates get sent to the correct endpoint
- Check name arg passed to Collection.create and raise ValueError if not a basestring
- Fix handling of resource names that are not valid URL segments by quoting the resource name when constructing its path
- Fix a bug in the dashboard example
- Ramp up README with more info
- Initial Python SDK release