{"id":24396,"library":"pysigma-backend-splunk","title":"pySigma Splunk Backend","description":"Generates Splunk Search Processing Language (SPL) from Sigma rules via the pySigma library. Supports SPL and SPL2 targets, Splunk Data Models, correlation rules, and field existence expressions. Compatible with pySigma >=1.0, Python >=3.10. Current version 2.1.0, release cadence is irregular.","status":"active","version":"2.1.0","language":"python","source_language":"en","source_url":"https://github.com/SigmaHQ/pySigma-backend-splunk","tags":["sigma","splunk","spl","spl2","pySigma","backend"],"install":[{"cmd":"pip install pysigma-backend-splunk","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core library providing rule parsing and conversion pipeline.","package":"pySigma","optional":false}],"imports":[{"note":"The backend is exported directly from the splunk module.","wrong":null,"symbol":"SplunkBackend","correct":"from splunk import SplunkBackend"},{"note":"Always specify the full submodule path to avoid import errors.","wrong":"from sigma.backends import SplunkBackend","symbol":"SplunkBackend","correct":"from sigma.backends.splunk import SplunkBackend"}],"quickstart":{"code":"from sigma.collection import SigmaCollection\nfrom sigma.backends.splunk import SplunkBackend\n\n# Parse a simple Sigma rule\nrule = SigmaCollection.from_yaml('''\ntitle: Test\nstatus: test\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  sel:\n    Image|endswith: '\\\\cmd.exe'\n  condition: sel\n''')\n\nbackend = SplunkBackend()\nqueries = backend.convert(rule)\nfor q in queries:\n    print(q)","lang":"python","description":"Parse a Sigma rule and convert it to SPL using the Splunk backend."},"warnings":[{"fix":"Upgrade pySigma to >=1.0 and use pysigma-backend-splunk >=2.0.0.","message":"Version 2.0.0 is a major release requiring pySigma >=1.0. Older pySigma versions will cause import errors.","severity":"breaking","affected_versions":"<=1.1.3"},{"fix":"Use `SplunkBackend(output_format='spl2')` when you need SPL2 output.","message":"The SplunkBackend default output format is 'default' (SPL). To generate SPL2, you must pass `output_format='spl2'` to the constructor.","severity":"gotcha","affected_versions":"all"},{"fix":"Change imports from `sigma.plugins.splunk` to `sigma.backends.splunk`.","message":"Direct use of the old `splunk` subpackage from `sigma.plugins` is deprecated in pySigma 1.0. Use `sigma.backends.splunk` instead.","severity":"deprecated","affected_versions":">=2.0.0"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Use `from sigma.backends.splunk import SplunkBackend` instead of `import splunk`.","cause":"The backend is not a top-level package; it must be imported from within pySigma.","error":"ModuleNotFoundError: No module named 'splunk'"},{"fix":"Pass a `SigmaCollection` object (parsed from YAML) to `backend.convert()`.","cause":"Misunderstanding the API: `convert()` is a method of the backend, but expects a `SigmaCollection` object, not a string.","error":"AttributeError: 'SplunkBackend' object has no attribute 'convert'"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}