Upcoming changes for Splunk Enterprise 10.2 and Splunk Cloud Platform 10.2

Running Splunk Enterprise Without the Root User

Summary: The Splunk platform has been changed to run without root privileges.

Overview: Several of the dependencies of the Splunk platform do not allow you to run them as the root user. Starting with Splunk platform 10.2, when you run the Splunk platform as a root user, the operation will fail with an error message. As a temporary measure, you can run Splunk Enterprise as a root user using the --run-as-root CLI argument, but we recommend all customers move away from this practice. This change does not affect Splunk Cloud Platform customers.

Affected Customers: Customers that run Splunk Enterprise with root permissions.

Issue Detection & Mitigation Guidance: If you encounter an error message when you start Splunk Enterprise as a root user, either configure Splunk Enterprise to run as a non-root account, or use the --run-as-root CLI argument when you start Splunk Enterprise.

Installing Splunk Enterprise for Windows as a Local Administrator or Domain User

Summary: As part of an overall effort to improve security, Splunk has removed the ability to install Splunk Enterprise on Windows as either the local administrator or a domain user. This means that if you have installed Splunk Enterprise on Windows as the local system or a domain user previously, the installer now installs Splunk Enterprise as the NT Service\splunkd service user.

Affected customers: Customers that run Splunk Enterprise on Windows and run the software as either the Windows Local System user or a domain user.

Issue detection and Mitigation Guidance: You can retain your existing user configuration by supplying the INSTALL_AS_ADMINISTRATOR=1 CLI argument during the upgrade. It is no longer possible to install Splunk Enterprise for Windows as a domain user, but you can install the universal forwarder instead as it still allows running as the local administrator or a domain user. You can run both Splunk Enterprise and the universal forwarder on the same machine.

Changes for Edge Processor on Splunk Enterprise

Summary: Upgrading to Splunk Enterprise 10.0.3 or 10.2 includes security updates that address specific common vulnerabilities and exposures (CVEs) but also make certain older Linux distributions incompatible with Edge Processor.

Overview: If you upgrade your data management control plane to Splunk Enterprise 10.0.3 or 10.2 while it and its associated edge processors are running on unsupported versions of Linux, those edge processors will crash, and data loss can occur.

Affected Customers: Customers that run Edge Processor data management control plane and node instances on Splunk Enterprise.

Issue detection and mitigation guidance: Update the operating systems on all management nodes and edge processor instances to a supported Linux version before upgrading to Splunk Enterprise 10.0.3 or 10.2. Refer to the Installation requirements for Edge Processors for the latest list of supported Linux-based operating systems. Operating systems on machines that Edge Processor does not use do not need updates.

Python 3.13 for Splunk Web

Summary: Apps that run Python code through Splunk Web – through either Splunk Web custom REST endpoints or custom Mako templates – will use Python 3.13 instead of Python 3.9.

Overview: Starting with Splunk platform 9.4, Splunk Web began running Splunk Web custom REST endpoints and custom Mako templates using version 3.9 of the Python interpreter, instead of version 3.7, which had been in use in this context since Splunk Enterprise version 8.0. Starting with Splunk platform 10.2, Splunk Web will instead run this code using Python 3.13. To this end, you will need to test Splunk Web custom REST endpoints and custom Mako templates for compatibility with Python 3.13.

Note: Splunk does not officially support custom Mako templates. Do not interpret this notification as an intention for future support.

Affected Customers: Developers whose apps implement Splunk Web Custom REST Endpoints or Custom Mako Templates and customers who use these apps.

Issue Detection & Mitigation Guidance:

• Splunk app developers: Developers must ensure that the Python code that they use in Splunk Web custom REST endpoints and custom Mako templates works as they expect in Python version 3.13, ideally by testing using a test Splunk Enterprise 10.2 installation. App developers can leverage AppInspect to determine if their apps are affected – any "warn" results from the following checks indicate that they must act:
  • Splunk Web Custom REST Endpoints: check_cherrypy_controllers
  • Mako Templates: check_for_existence_of_python_code_block_in_mako_template
• Splunk Cloud Platform and Splunk Enterprise customers: Wherever possible, update apps from Splunkbase, including both Splunk-built and third-party apps, to versions that Splunk marks as compatible with Splunk platform 10.2, either in preparation for, or as part of, their Splunk platform upgrades.

Node.js Removal

Summary: Splunk no longer ships Node.js as of Splunk platform 10.2. Customers who use apps that leverage this runtime must update the apps to compatible versions.

Overview: Splunk updated Node.js from version 8 to version 20 in the Splunk platform 10.0 release, then subsequently deprecated the runtime. We notified the Splunk community that we would remove Node.js in a future Splunk platform release, and this was done in Splunk platform 10.2. This change does not affect Splunk platform functionality, but any apps that depend on Node.js will be affected if they do not follow Splunk guidance for developers to bundle their own Node.js runtime as part of their app – or, better, to migrate away from Node.js entirely.

Affected Customers: Developers whose apps use Node.js to run backend JavaScript code and customers who use these apps.

Issue Detection & Mitigation Guidance:

• Splunk app developers: App developers can leverage AppInspect to determine if their apps are affected. Any "warn" results from the following AppInspect checks indicate that developers must take action:
  • check_for_js_in_saved_searches_action_script
  • check_js_custom_alert_actions
  • check_js_use_in_modular_inputs
  • check_js_use_in_scripted_inputs
  • check_js_use_in_custom_search_commands
  • check_invoking_bundled_node

  Apps published to Splunkbase should indicate compatibility with Splunk 10.2 after new versions are released or when compatibility with Splunk 10.2 is confirmed.

• Splunk Cloud Platform and Splunk Enterprise customers: Customers are encouraged to update apps from Splunkbase, including both Splunk-built and 3rd party apps, to versions that Splunk marks as compatible with Splunk platform 10.2, either in preparation for, or as part of, their Splunk platform upgrades.

SHA1 signed certificates are no longer supported due to OpenSSL3

• Summary: Starting with Splunk platform 10, certificates with SHA-1 signatures are no longer accepted due to OpenSSL3.
• Affected customers: All customers who use either:
  • Splunk Enterprise, or
  • Splunk Cloud Platform including customer managed
    • Forwarders (universal or heavy), or
    • Federated Search nodes.
• Issue detection and mitigation: All Splunk system certificates currently using SHA-1 must be re-issued and migrated to signatures with SHA-256 or higher.

Python 3.13 for the Splunk daemon

Summary: Splunk platform 10.2 now ships with Python version 3.13 runtime, though version 3.9 remains the default. Splunk does not expect this change to affect any customers, but we want to advise customers now, since we will be updating the Python runtime defaults in future Splunk platform releases.

Overview: Splunk platform 10.2 introduces Python version 3.13 as an opt-in runtime, while Python 3.9 continues to serve as Splunk’s Long-Term Support (LTS) runtime and default. This ensures customers and app developers have a stable, predictable Python baseline while still letting early adopters take advantage of newer Python capabilities. There is no impact to existing deployments in Splunk 10.2, but this release begins a transition toward a dual-track model—combining a long-lived LTS runtime with newer Python versions that will become defaults in future releases. This change applies to Splunk Core extensions such as custom search commands, custom REST endpoints, scripted inputs, modular inputs, external lookups, modular alert actions, and more. 

Affected Customers: Developers whose apps use Python code and customers who use these apps.

Issue Detection & Mitigation Guidance: No action is required currently. However, app developers should begin evaluating their apps for compatibility with Python 3.13 and can begin updating the python.required setting starting with a version of their apps that Splunk marks as compatible with Splunk platform 10.2 on Splunkbase. Refer to the following guidance on dev.splunk.com for additional details:

• Python compatibility in the Splunk platform
• Specify Python compatibility for your app