Hi!

As you've found, there's no direct and easy way to just "run" a dboutput. I wish there was, and have an Enhancement Request in to Splunk for this, but as of the latest version it's still not there.

There are two methods I use for all my dboutputs (at $job-1 we had 30 or 40).

1) Schedule it initially with a fake cron schedule of, say, */5 * * * * to run every 5 minutes. Let it run once, then edit the input to set it to the "right" schedule. The only challenge is to make */5 be small enough that it's not an eternity, but long enough that you can actually disable it before it runs twice. Either every 5 or every 10 minutes was what I usually used.

2) Or, use dbxoutput to run the output initially. The biggest pain in the rear is the dbxoutput command does not do any of the search-side stuff. For some reason my brain continues - even after all this time - to insist that dbxoutput should run the entire thing as configured. But it doesn't, it only runs the output side of things. So my process when I used this was to build my dboutput using the UI as usual. EXCEPT, be sure to copy and paste the search you run temporarily into a text editor. Then, once you've finished the dboutput, open a new search window, paste in your search, and append to it | dbxoutput output=<mydboutputname>. If you do that, your search will run and it'll also push the output to your db.

Hopefully one of these two methods will work for you!

Happy Splunking!
-Rich