- Add a scripted-input variant (
[script://...]) of the database updater as a wrapper (geoipupdate_script.py) around the existingrun_database_update()logic, and disable thegeoipupdate_inputmodular input's default instance. This tests whether a scripted input runs on every search head cluster member in Splunk Cloud, unlike the modular input which only runs on one. The updater should continue to function through this alternate mechanism.
- Declare
run_only_oneas a scheme argument in thegeoipupdate_inputmodular input's Python scheme (get_scheme), in addition to theinputs.conf.specentry added in 1.1.1. Splunk appears to only honor modular input settings other than the standardname,interval,index, andsourcetypewhen they are declared as scheme arguments, so settingrun_only_oneininputs.confalone was not enough for it to take effect. Splunk's own add-ons (for example, the Splunk Add-on for CrowdStrike FDR) declarerun_only_onethis way. On Splunk Cloud Victoria this appears to be required forrun_only_one = falseto be respected so that each search head cluster member runs the input and downloads its own databases.
- Declare the
interval,disabled, andrun_only_onesettings in thegeoipupdate_inputmodular input'sinputs.conf.specso the input's supported parameters are documented in the spec file. This is to see if includingrun_only_onewill make the database update modular input run on all search heads in a search head cluster.
- Set
local = truefor thegeoipsearch command so it runs on the search head instead of distributed peers. This avoids failures in distributed searches when indexers do not have the MaxMind databases or updater-managed app state available locally.
- Initial release.