• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs page
    • Access Data Inputs page
    • Run crawls
    • Add files and directories
    • Add FIFO queues
    • Add network ports
  • Use crawl
    • Run a crawl
    • Save a crawl
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via the CLI
  • Delete an index
• Search
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Tag
  • About tags
    • Search for extracted fields associated with tags
    • Configure tags
    • Configure roles for tagging
  • Tag field values (including: event types, hosts, and sources)
    • Tag hosts or sources
    • Tag event types
    • Methodologies for host and event type tag management
  • Manage tags with tagcreate and tagdelete
    • Create tags with tagcreate
    • Disable tags with tagdelete
  • Alias a source type
    • Add/edit a source type alias
• Report
  • Run reports
    • Report on results
    • Report on fields
    • Report using reporting commands
    • Choose different charts
    • Add a report to your dashboard
    • Summary indexing
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
  • Summary indexing
    • How summary indexing works
    • Configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and set alerts
    • Save a search
    • Schedule a search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • About Splunk's CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Examples of CLI search
    • Dispatched searches
    • CLI search parameters
  • CLI commands
    • Syntax
    • Command list
  • Change default Splunk server settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
  • Search cheatsheet
    • Add fields
    • Convert fields
    • Filter and order fields
    • Filter results
    • Order results
    • Group results
    • Classify events
    • Change display formatting
    • Generate data
    • Report
    • Administrative
    • Subsearch
• Field reference
  • About fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • List of default fields
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Generate data
    • crawl
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Extract
    • addinfo
    • extract (kv)
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Transform and report
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • inputcsv
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • tagcreate
    • tagdelete
    • tags
    • tagset
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq

Use crawl

crawl searches your filesystem for new data sources to add to your index. Configure one or more types of crawlers in crawl.conf to define the type of data sources to include in or exclude from your results. Save this crawl search and schedule it to run regularly to update your indexes.

This topic explains how to use the crawl command and how to save and schedule a crawl search. Refer to the Admin manual for instructions to configure crawl. You can also watch this Splunk developer video about crawl.

Note: Splunk currently supports one type of crawler, labeled file_crawler. As yet, you cannot define a custom crawler.

Run a crawl

In Splunk Web, you can access and run the crawl command from the Splunk search bar and the Admin > Data Inputs: Crawls page.

The Splunk search bar
You can run the crawl command directly from the search bar:

| crawl

For example, you can tell Splunk to crawl specific directories when you include the root argument:

| crawl root=/private/var/log;/private/var/db

The Admin page
You can manage all your saved crawls from the Admin > Data Inputs: Crawls page. From this page, you can also run the default crawl search by clicking New Crawl:

| crawl | search NOT *personal*

Results of a crawl

For each item listed in your crawl results, Splunk displays whether or not it is a file, a timestamp indicating when it was last modified, its size, and its status (whether it is added or not added to your inputs). You can perform two actions on each data source: Add input and Preview file/directory.

Preview file or directory

To review the contents of the data source before adding it as an input, click Preview file or Preview directory.

A new window opens:

• If you click Preview file on a file, Splunk returns events from the file.
• If you click Preview directory on a directory, Splunk displays a list of the files in the directory and lets you drill-down further and preview each file.

Add input

To add the selected data source as an input, click Add input.

Now, when you go to the Admin page and select the Data Inputs tab, your selected data source is listed.

Note: Adding data inputs with crawl modifies your inputs.conf file to include a stanza describing the new source. For example, if crawl discovers /var/log, clicking Add input adds the following stanza to inputs.conf:

[monitor:///var/log]
disabled = false
index = main
class = crawl
generator = ui

Save a crawl

After you run a crawl search, save the search by clicking the Save this Crawl... link located above your search results. This action opens the Admin > Data Inputs: Crawls: Create Crawl page which prompts you to:

• Name your crawl search.
• If necessary, edit your search.
• If desired, elect to run your crawl on a schedule.
• Click Cancel to return to the Admin > Data Inputs.
• Click Save to save your crawl search.

Note: Your crawl won't save, if you don't provide a name.

Manage saved crawls

Manage your saved crawl searches from the Admin > Data Inputs: Crawls page. You can run a new crawl or select one or more saved crawls to:

• Run Now and update your indexes.
• Enable or Disable so that you can start or stop updating particular indexes.
• Delete to remove the search from your list.

Edit the search and schedule properties of an individual crawl by clicking on its Name.

Note: You can't change the name of your saved crawl.

Schedule saved crawls

When scheduling your saved crawls, you can define the type of schedule and how frequently to run it. You can also set alert options and define fields to include in summary indexes. These options are exactly the same as options provided for saving regular (non-crawl) searches.