Skip to content

Declare run_only_one as a scheme argument for geoipupdate_input#84

Merged
oschwald merged 3 commits into
mainfrom
wstorey/run-only-once-scheme
Jun 25, 2026
Merged

Declare run_only_one as a scheme argument for geoipupdate_input#84
oschwald merged 3 commits into
mainfrom
wstorey/run-only-once-scheme

Conversation

@horgh

@horgh horgh commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Bug Fixes

    • Improved handling of the update input so it can run correctly across clustered search head members.
    • Updated the AppInspect check to use the latest app artifact.
  • New Features

    • Added support for a new input setting that helps control single-instance execution.
  • Chores

    • Bumped the app version to 1.1.2 across build and release metadata.
  • Documentation

    • Added a 1.1.2 changelog entry describing the release.

horgh and others added 3 commits June 25, 2026 03:41
Background
----------
The geoip database updater is a modular input. In a search head cluster
we want it to run on every member so each member downloads its own copy
of the MaxMind databases: the geoip search command runs with local=true
and needs the .mmdb files present on the search head that executes it.
To get that, the input ships run_only_one = false in inputs.conf, and
1.1.1 additionally added run_only_one to the inputs.conf.spec.

Despite that, the input was reported as not running on all search heads
on Splunk Cloud Victoria -- it behaved as if run_only_one defaulted to
true (run on only a single member).

Why setting it in inputs.conf was not enough
--------------------------------------------
run_only_one is a server-side (splunkd) setting. It is not referenced
anywhere in the Splunk Python SDK (splunklib.modularinput) or in the UCC
add-on generator (addonfactory-ucc-generator), so nothing on the client
side reads or acts on it. Splunk's configuration system stores arbitrary
keys, so run_only_one = false is persisted and shows up in btool, but
being present in inputs.conf is not the same as the input subsystem
acting on it.

For a modular input, the parameters splunkd recognizes come from the
input's scheme. The SDK serializes each declared Argument into the
scheme's <endpoint><args> list (splunklib/modularinput/scheme.py), and
UCC treats only name, interval, index, and sourcetype as built-in fields
that do not need declaring (commands/build.py field_allow_list); every
other field, including run_only_one, is emitted as a scheme argument
(templates/input.template). So Splunk's own tooling expresses a
non-standard input setting by declaring it as a scheme argument.

Splunk's own add-ons follow the same pattern. The Splunk Add-on for
CrowdStrike FDR declares run_only_one as a scheme argument in every one
of its modular inputs, and its inputs.conf.spec documents the Victoria
semantics: run_only_one = false runs one input instance on each search
head, while run_only_one = true runs a single instance for the whole
cluster.

Change
------
Declare run_only_one as a scheme argument in the modular input's runtime
get_scheme (GeoIPUpdateScript), which is the scheme splunkd actually
consumes. The module also keeps a separate, dependency-free dict scheme
on GeoIPUpdateInput so the module can be imported and unit tested without
the Splunk runtime; that dict and its unit test are updated to match so
the two representations stay in sync. run_only_one = false remains set in
inputs.conf.

Caveat
------
The actual enforcement of run_only_one lives inside splunkd, which is
closed source, and the platform inputs.conf spec still marks the setting
"currently not supported / under development" (it is only implemented on
Splunk Cloud Victoria). This change matches Splunk's own tooling and
add-ons and is the only structural difference between this input and one
where run_only_one is honored, but it should be confirmed empirically on
a Victoria stack, e.g. "splunk btool inputs list geoipupdate_input://default
--debug" on each member and by verifying the input process runs on every
member.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3afacfc3-7266-452c-be70-505a8e0ff28c

📥 Commits

Reviewing files that changed from the base of the PR and between b28b76f and 8764b03.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (8)
  • .github/workflows/lint.yml
  • CHANGELOG.md
  • build.sh
  • geoip/globalConfig.json
  • geoip/package/app.manifest
  • geoip/package/bin/geoipupdate_input.py
  • pyproject.toml
  • tests/geoipupdate_input_test.py

📝 Walkthrough

Walkthrough

The PR adds run_only_one to the geoipupdate_input modular input scheme, updates the corresponding test, and bumps version-related metadata to 1.1.2 with a matching changelog entry.

Changes

GeoIP update input release

Layer / File(s) Summary
Scheme argument registration
geoip/package/bin/geoipupdate_input.py, tests/geoipupdate_input_test.py
run_only_one is added to GeoIPUpdateInput.get_scheme()/GeoIPUpdateScript.get_scheme(), and the scheme test now expects that argument.
Release version metadata
build.sh, pyproject.toml, geoip/globalConfig.json, geoip/package/app.manifest, .github/workflows/lint.yml, CHANGELOG.md
Version references and release artifacts are updated to 1.1.2, and the changelog adds the new release entry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • maxmind/geoip-splunk#80: Adds run_only_one to inputs.conf.spec, which this PR complements by declaring the same setting in get_scheme().
  • maxmind/geoip-splunk#81: Also updates the GeoIP app packaging/version flow, including the AppInspect tarball reference in the lint workflow.

Suggested reviewers

  • oschwald

Poem

A rabbit hopped through version land,
With run_only_one close at hand.
The scheme said “yes,” the tests agreed,
The tarball sprouted what they need.
🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding run_only_one as a scheme argument for geoipupdate_input.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch wstorey/run-only-once-scheme

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request bumps the application version to 1.1.2 and declares run_only_one as a scheme argument in the geoipupdate_input modular input's Python scheme. This ensures that Splunk honors the setting, particularly on Splunk Cloud Victoria. The reviewer suggests explicitly setting the data_type of the run_only_one argument to Argument.data_type_boolean to ensure Splunk correctly validates the parameter type.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

# the inputs.conf run_only_one value to be honored; with
# run_only_one = false, each search head cluster member runs the
# input and downloads its own databases.
scheme.add_argument(Argument("run_only_one", required_on_create=False))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since run_only_one is a boolean parameter (as declared in inputs.conf.spec), it is recommended to explicitly set its data_type to Argument.data_type_boolean when adding it to the scheme. This ensures Splunk correctly recognizes and validates the parameter type rather than defaulting to a string.

Suggested change
scheme.add_argument(Argument("run_only_one", required_on_create=False))
scheme.add_argument(Argument("run_only_one", data_type=Argument.data_type_boolean, required_on_create=False))

@oschwald oschwald merged commit a550479 into main Jun 25, 2026
12 checks passed
@oschwald oschwald deleted the wstorey/run-only-once-scheme branch June 25, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants