Solved: Re: How to use a database output

matstap · ‎05-03-2018

I created a database output in Splunk DB Connect and gave it a schedule... Now what? I would like to run it now, but I can't find it in my scheduled jobs or saved searches. How can I run the output right now?

I'm in a clustered environment, so the schedule won't work(?)

Richfez · ‎05-04-2018

Hi!

As you've found, there's no direct and easy way to just "run" a dboutput. I wish there was, and have an Enhancement Request in to Splunk for this, but as of the latest version it's still not there.

There are two methods I use for all my dboutputs (at $job-1 we had 30 or 40).

1) Schedule it initially with a fake cron schedule of, say, */5 * * * * to run every 5 minutes. Let it run once, then edit the input to set it to the "right" schedule. The only challenge is to make */5 be small enough that it's not an eternity, but long enough that you can actually disable it before it runs twice. Either every 5 or every 10 minutes was what I usually used.

2) Or, use dbxoutput to run the output initially. The biggest pain in the rear is the dbxoutput command does not do any of the search-side stuff. For some reason my brain continues - even after all this time - to insist that dbxoutput should run the entire thing as configured. But it doesn't, it only runs the output side of things. So my process when I used this was to build my dboutput using the UI as usual. EXCEPT, be sure to copy and paste the search you run temporarily into a text editor. Then, once you've finished the dboutput, open a new search window, paste in your search, and append to it | dbxoutput output=<mydboutputname>. If you do that, your search will run and it'll also push the output to your db.

Hopefully one of these two methods will work for you!

Happy Splunking!
-Rich

View solution in original post

Richfez · ‎05-04-2018

Hi!

As you've found, there's no direct and easy way to just "run" a dboutput. I wish there was, and have an Enhancement Request in to Splunk for this, but as of the latest version it's still not there.

There are two methods I use for all my dboutputs (at $job-1 we had 30 or 40).

1) Schedule it initially with a fake cron schedule of, say, */5 * * * * to run every 5 minutes. Let it run once, then edit the input to set it to the "right" schedule. The only challenge is to make */5 be small enough that it's not an eternity, but long enough that you can actually disable it before it runs twice. Either every 5 or every 10 minutes was what I usually used.

2) Or, use dbxoutput to run the output initially. The biggest pain in the rear is the dbxoutput command does not do any of the search-side stuff. For some reason my brain continues - even after all this time - to insist that dbxoutput should run the entire thing as configured. But it doesn't, it only runs the output side of things. So my process when I used this was to build my dboutput using the UI as usual. EXCEPT, be sure to copy and paste the search you run temporarily into a text editor. Then, once you've finished the dboutput, open a new search window, paste in your search, and append to it | dbxoutput output=<mydboutputname>. If you do that, your search will run and it'll also push the output to your db.

Hopefully one of these two methods will work for you!

Happy Splunking!
-Rich

How to use a database output

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases