If you are the author or maintainer of a Splunk Add-on then periodically you’ll need to perform some maintenance. You might need to package it again with the latest add-on builder or check it still validates with the latest validation rules. Often this can just be a click through exercise, resulting in a new version which you can upload to splunkbase.

The issue detailed here (outdated version of the Splunk SDK for Python) is a bit more involved though. iDelta have a number of add-ons hosted on the Splunk App Store (splunkbase) and a couple of them have recently failed on validation due to the following error: “Check that Splunk SDK for Python is up-to-date..”

Drilling down on that error in app inspect reveals the following message:
“Detected an outdated version of the Splunk SDK for Python (1.6.6). Upgrade to 1.7.3 or later. File: bin/ta_mulesoft_cloudhub_add_on_for_splunk/aob_py3/solnlib/packages/splunklib/binding.py Line Number: 1371”

In this post we provide a set of steps that worked for us. Hopefully they work for you too.

Step 1 – Preparation

  1. Take a backup
  2. Recommended: Upgrade your dev Splunk instance to the latest version of Splunk and the latest add-on builder
  3. Download the latest Python SDK for Splunk
  4. Untar the SDK somewhere temporarily (/tmp?) on your dev server

Step 2 – Sanity Check

The error message is complaining about a specific line (1371) in the bindings.py file. If we check this line and those around we see the following:

def request(url, message, **kwargs):
        scheme, host, port, path = _spliturl(url)
        body = message.get("body", "")
        head = {
            "Content-Length": str(len(body)),
            "Host": host,
            "User-Agent": "splunk-sdk-python/1.6.6",

We can see the offending version number hard-coded into the HTTP header “User-Agent”.

If we compare this with the bindings.py “def request” function in the latest SDK, we see the following:

def request(url, message, **kwargs):
        scheme, host, port, path = _spliturl(url)
        body = message.get("body", "")
        head = {
            "Content-Length": str(len(body)),
            "Host": host,
            "User-Agent": "splunk-sdk-python/%s" % __version__,

We can see that the version string of the User-Agent has been parameterised. Looking at the top of the python file we can see an entry in imports for version:

from splunklib import __version__

So, the new SDK certainly has changes in the problem area.

Step 3 – Make the changes

  1. Stop your Splunk server
  2. cd into the “bin” directory of your add-on, then cd into the <lower-case TA name with underscores> directory
    e.g. cd /opt/splunk/etc/apps/TA-mulesoft-cloudhub-add-on-for-splunk/bin/ta_mulesoft_cloudhub_add_on_for_splunk
  3. Remove the aob_py2 directory (python 2 no longer needed)
    e.g. rm -R aob_py2
  4. Change into the python 3 directory: cd aob_py3
  5. Remove the splunklib directory: rm -R splunklib
  6. Copy in the latest splunklib from the SDK you downloaded (change paths and versions to match your download and extract): cp -R /tmp/splunk-sdk-1.7.3/splunklib .
  7. Replace the solnlib/packages version of splunklib:
    cd solnlib/packages
    rm -R splunklib
    cp -R /tmp/splunk-sdk-1.7.3/splunklib .

Step 4 – Validation

Perform the following steps to validate the change has worked:

  1. Start the Splunk Dev server
  2. Return to the add-on builder validation page and re-run Validate

The “outdated version of the Splunk SDK for Python” error should now be resolved!

Posted by:Stuart Robertson

Stuart Robertson is the Consulting Director at iDelta. He is one of the initial founders of iDelta and has worked there since formation in 2001. Stuart holds various certifications in Core Splunk and ITSI. Stuart also holds a Bsc(Hons) in Computing Science from the University of Glasgow.