pySigma Splunk Backend

2.1.0 verified Fri May 01 auth: no python

Generates Splunk Search Processing Language (SPL) from Sigma rules via the pySigma library. Supports SPL and SPL2 targets, Splunk Data Models, correlation rules, and field existence expressions. Compatible with pySigma >=1.0, Python >=3.10. Current version 2.1.0, release cadence is irregular.

pip install pysigma-backend-splunk

Common errors

error ModuleNotFoundError: No module named 'splunk' ↓

cause The backend is not a top-level package; it must be imported from within pySigma.

fix

Use from sigma.backends.splunk import SplunkBackend instead of import splunk.

error AttributeError: 'SplunkBackend' object has no attribute 'convert' ↓

cause Misunderstanding the API: `convert()` is a method of the backend, but expects a `SigmaCollection` object, not a string.

fix

Pass a SigmaCollection object (parsed from YAML) to backend.convert().

Warnings

breaking Version 2.0.0 is a major release requiring pySigma >=1.0. Older pySigma versions will cause import errors. ↓

fix Upgrade pySigma to >=1.0 and use pysigma-backend-splunk >=2.0.0.

gotcha The SplunkBackend default output format is 'default' (SPL). To generate SPL2, you must pass `output_format='spl2'` to the constructor. ↓

fix Use `SplunkBackend(output_format='spl2')` when you need SPL2 output.

deprecated Direct use of the old `splunk` subpackage from `sigma.plugins` is deprecated in pySigma 1.0. Use `sigma.backends.splunk` instead. ↓

fix Change imports from `sigma.plugins.splunk` to `sigma.backends.splunk`.

Imports

SplunkBackend
```
from splunk import SplunkBackend
```
The backend is exported directly from the splunk module.

SplunkBackend

wrong

from sigma.backends import SplunkBackend

correct

from sigma.backends.splunk import SplunkBackend

Always specify the full submodule path to avoid import errors.

Quickstart

Parse a Sigma rule and convert it to SPL using the Splunk backend.

from sigma.collection import SigmaCollection
from sigma.backends.splunk import SplunkBackend

# Parse a simple Sigma rule
rule = SigmaCollection.from_yaml('''
title: Test
status: test
logsource:
  category: process_creation
  product: windows
detection:
  sel:
    Image|endswith: '\\cmd.exe'
  condition: sel
''')

backend = SplunkBackend()
queries = backend.convert(rule)
for q in queries:
    print(q)