The content in this document is a subsidiary to the Installation Guide because it became disorganized and the number of possible Python installation combinations and snags intensified. However, that culminated in the collection of excellent information that is provided here. Please remember, the Splunk app install approach was introduced to alleviate several of these issues.
A portion of this document is targeted at those who can’t install packages as Admin or are forced to use Splunk’s embedded Python. For everyone else, please start with the one-liner!
Do any of these words for phrases strike fear in your heart?
If this list seems daunting, head over to Install Splunk App. There’s no shame in it.
- Advanced Installation Guide
- Offline installation
- Frequent gotchas
(Unfinished; more of a brainstorm at this point…)
- Is Python installed? (OS level)
- Is the version greater than 2.7? (Some early 2.7 version have quarks, but typically this is okay)
- If Python 3.x, is it greater than 3.4? (I’d like to drop 3.4, but lots of old distros still have it.)
- Do you have admin access? (root/Administrator; or can you get it? How hard? Will you need it each time you upgrade the ksconf?)
- Do you already have a large Python deployment or dependency? (If so, you’ll probably be fine. Use virtualenv)
- Do you have any prior Python packaging or administration experience?
- Are you dealing with some vendor-specific solution?
- Example: RedHat Software Collections – where they realize their software is way too old, so they try to make it possible to install newer version of things like Python, but since they aren’t native or the default, you still end up jumping through a bunch of wonky hoops)
- Do you have Internet connectivity? (air gap or blocked outbound traffic, or proxy)
- Do you want to build/deploy your own ksconf extensions? If so, the Python package is a better option. (But at that point, you can probably already handle any packaging issues yourself.)
There are several ways to install ksconf. Technically, all standard Python packaging approaches should work just fine as there’s no compiled code or external run-time dependencies so installation is fairly easy. However, for non-Python developers, there are some snags. Installation options are listed from the most easy and recommended, to more obscure and difficult:
The preferred installation method is to install via the standard Python package tool pip. Ksconf can be installed via the registered kintyre-splunk-conf package using the standard Python process.
There are 2 popular variations, depending on whether or not you would like to install for all users or test it locally.
Use this option if you don’t have admin access
ksconf with virtualenv is a great way to test the tool without requiring admin
privileges and has many advantages for a production install. Here are the basic steps to get
venv to a suitable path for your environment.
# Install Python virtualenv package (if not already installed) pip install virtualenv # Create and activte new 'venv' virtual environment virtualenv venv source venv/bin/activate pip install kintyre-splunk-conf
The above virtual environment activation should be run as
This requires admin access.
This is the absolute easiest install method where ‘ksconf’ is available to all users on the system
but it requires root access and
pip must be installed and up-to-date.
On Mac or Linux, run:
sudo pip install kintyre-splunk-conf
On Windows, run this command from an Administrator console.
pip install kintyre-splunk-conf
# Enable the EPEL repo so that `pip` can be installed. sudo yum install -y epel-release # Install pip sudo yum install -y python-pip # Install ksconf (globally, for all users) sudo pip install kintyre-splunk-conf
The following assumes the
python27 software collection, but other version of Python are supported
too. The initial setup and deployment of Software Collections is beyond the scope of this doc.
sudo scl enable python27 python -m pip install kintyre-splunk-conf
If pip is missing from a RHSC, then install the following rpm.
yum install python27-python-pip
ksconf entrypoint script (in the
bin folder) will not work correctly on it’s
own because it doesn’t know about the scl environment, nor is it in the default PATH. To solve this,
run the following:
sudo cat > /usr/local/bin/ksconf <<HERE #!/bin/sh source scl_source enable python27 exec /opt/rh/python27/root/usr/bin/ksconf "$@" HERE chmod +x /usr/local/bin/ksconf
Download the latest “Wheel” file file from PyPI, copy it to the destination server and install with pip.
Offline pip install:
pip install ~/Downloads/kintyre-splunk-conf-0.4.2-py2.py3-none-any.whl
Deprecated since version 0.6.0: Don’t do this anymore. Please use the KSCONF App for Splunk instead.
Splunk Enterprise 6.x and later installs an embedded Python 2.7 environment.
However, Splunk does not provide packing tools (such as
pip or the
distutils standard library
which is required to bootstrap install
pip). For these reasons, it’s typically easier and cleaner
ksconf with the system provided Python. However, sometimes the system-provided Python
environment is the wrong version, is missing (like on Windows), or security restrictions prevent the
installation of additional packages. In such cases, Splunk’s embedded Python becomes a beacon of
Download the latest “Wheel” file file from PyPI. The path to this download will be
set in the
pkg variable as shown below.
Setup the shell:
export SPLUNK_HOME=/opt/splunk export pkg=~/Downloads/kintyre_splunk_conf-0.4.9-py2.py3-none-any.whl
Run the following:
cd $SPLUNK_HOME mkdir Kintyre cd Kintyre # Unzip the 'kconf' folder into SPLUNK_HOME/Kintyre unzip "$pkg" cat > $SPLUNK_HOME/bin/ksconf <<HERE #!/bin/sh export PYTHONPATH=$PYTHONPATH:$SPLUNK_HOME/Kintyre exec $SPLUNK_HOME/bin/python -m ksconf \$* HERE chmod +x $SPLUNK_HOME/bin/ksconf
Test the install:
Open a browser and download the latest “Wheel” file file from PyPI.
.zip. (This may require showing file extensions in Explorer.)
Extract the zip file to a temporary folder. (This should create a folder named “ksconf”)
Create a new folder called “Kintyre” under the Splunk installation path (aka
SPLUNK_HOME) By default, this is
Copy the “ksconf” folder to
Create a new batch file called
ksconf.batand paste in the following. Be sure to adjust for a non-standard
%SPLUNK_HOME%value, if necessary.
@echo off SET SPLUNK_HOME=C:\Program Files\Splunk SET PYTHONPATH=%SPLUNK_HOME%\bin;%SPLUNK_HOME%\Python-2.7\Lib\site-packages\win32;%SPLUNK_HOME%\Python-2.7\Lib\site-packages;%SPLUNK_HOME%\Python-2.7\Lib SET PYTHONPATH=%PYTHONPATH%;%SPLUNK_HOME%\Kintyre CALL "%SPLUNK_HOME%\bin\python.exe" -m ksconf %*
Splunk\binfolder. (This assumes that
%SPLUNK_HOME%/binis part of your
%PATH%. If not, add it, or find an appropriate install location.)
Test this by running
ksconf --versionfrom the command line.
Installing ksconf to an offline or network restricted computer requires three steps: (1) download the latest packages from the Internet to a staging location, (2) transfer the staged content (often as a zip file) to the restricted host, and (3) use pip to install packages from the staged copy. Fortunately, pip makes offline workflows quite easy to achieve. Pip can download a Python package with all dependencies stored as wheels files into a single directory, and pip can be told to install from that directory instead of attempting to talk to the Internet.
The process of transferring these files is very organization-specific. The example below shows the
creation of a tarball (since
tar is universally available on Unix systems), but any acceptable
method is fine. If security is a high concern, this step is frequently where safety checks are
implemented: such as, antivirus scans, static code analysis, manual inspection, and/or
comparison of cryptographic file hashes.
One additional use-case for this workflow, is to ensure the exact same version of all packages are
deployed consistently across all servers and environments. Often, building a
pip freeze, is a more appropriate solution. Alternatively, consider using
for even more security benefits.
Pip must be installed on the destination server for this process to work. If pip is NOT installed, see the Offline installation of pip section below.
Step 1: Use pip to download the latest package and their dependencies. Be sure to use the same version of Python that is running on destination machine.
# download packages python2.7 -m pip download -d ksconf-packages kintyre-splunk-conf
A new directory named ‘ksconf-packages’ will be created and will contain the necessary
Step 2: Transfer the directory or archive to the remote computer. Insert whatever security and file copy procedures necessary for your organization.
# Compress directory (on staging computer) tar -czvf ksconf-packages.tgz ksconf-packages # Copy file using whatever means scp ksconf-packages.tgz user@server:/tmp/ksconf-packages.tgz # Extract the archive (on destination server) tar -xzvf ksconf-packages.tgz
# Install ksconf package with pip pip install --no-index --find-links=ksconf-packages kntyre-splunk-conf # Test the installation ksconf --version
ksconf-packages folder can now be safely removed.
Use the recommended
pip install procedures listed elsewhere if possible. But if a remote
bootstrap of pip is your only option, then here are the steps. (This process mirrors the steps
above and can be combined, if needed.)
Step 1: Fetch bootstrap script and necessary wheels
mkdir ksconf-packages curl https://bootstrap.pypa.io/get-pip.py -o ksconf-packages/get-pip.py python2.7 -m pip download -d /tmp/my_packages pip setuptools wheel
ksconf-pacakges folder should contain 1 script, and 3 wheel (
Step 2: Archive and/or copy to offline server
Step 3: Bootstrap pip
sudo python get-pip.py --no-index --find-links=ksconf-packages/ # Test with pip --version
If you have a copy of the
pip*.whl (wheel) file, then it can be executed directly by Python. This
can be used to run
pip without actually installing it, or for installing pip initially (bypassing the
get-pip.py script step noted above.)
Here’s an example of how this could work:
Step 1: Download the pip wheel on a machine where
pip works, by running:
pip download pip -d .
This will create a file like
pip-19.0.1-py2.py3-none-any.whl in the current working directory.
Step 2: Copy the pip wheel to another machine (likely where pip isn’t installed.)
Step 3: Execute the wheel by running:
python pip-19.0.1-py2.py3-none-any.whl/pip list
list command with whatever action you need (like
install or whatever).
pip throws an error message like the following:
There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version ... No matching distribution found for setuptools
The problem is likely caused by changes to PyPI website in April 2018 when support for TLS v1.0 and 1.1 were removed. Downloading new packages requires upgrading to a new version of pip. Like so:
Upgrade pip as follows:
curl https://bootstrap.pypa.io/get-pip.py | python
sudo python above if not in a virtual environment.
If, while trying to install
pip or run a
pip command you see the following error:
ImportError: No module named command.install
Likely this is because you are using a crippled version of Python; like the one that ships with Splunk. This won’t work. Either install the Splunk app package from Splunkbase or install using the OS-level Python.
Here are a few fact gathering type commands that may help you begin to track down problems.
Check your installed Python version by running:
Note that Linux distributions and Mac OS X that ship with multiple versions of Python may have
renamed this to
python2.7 or similar.
If you are running a different Python interpreter version, you can instead run this as:
python2.7 -m pip --version
Confirm installation with the following command:
If this works, it means that
ksconf installed and is part of your
PATH and should be useable
everywhere in your system. Go forth and conquer!
If this doesn’t work, here are a few things to try:
Check that your
PATHis set correctly.
Try running ksconf as a “module” (sometimes works around a PATH issue). Run
python -m ksconf
If you’re running the Splunk app, try running the following:cd $SPLUNK_HOME/etc/apps/ksconf/bin/lib python -m ksconf --version
If this works, then the issue has something to do with your path.
It may be helpful to uninstall (remove) the Splunk app and reinstall from scratch.
- Python packaging docs provide a general overview on installing Python packages, how to install per-user vs install system-wide.
- Install PIP docs explain how to bootstrap or upgrade
pipthe Python packaging tool. Recent versions of Python come with this by default, but releases before Python 2.7.9 do not.