Skip to main content


Splunk Lantern

Printer information in a Windows environment

You might want basic information about the printers in your Windows environment when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


Your boss has asked you to start gathering basic statistics on printer activity in your organization. He would like to know how many print servers and printers there are, as well as what the spooling load is at various times of the day. This information will help with resource planning.

To optimize the search shown below, you should specify an index and a time range.

  1. Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Enable the following inputs:
    • *WinPrintMon://printer
    • *WinPrintMon://job
    • *WinPrintMon://driver
    • *WinPrintMon://port
  3. To see only the number of printers on your network, run the following search: 
|stats dc(ComputerName) AS "Print Servers"  dc(printer) AS Printers
  1. For detailed information about the jobs running on the servers, run the following search: 
|dedup JobId, ComputerName 
|rename ComputerName AS "Print Server" 
|stats count(JobId) AS "No. of Print Jobs" BY "Print Server" 
    [ stats sum("No. of Print Jobs") AS "Total No. of Print Jobs" 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only the printer monitor event type. 

|stats dc(ComputerName) AS "Print Servers"  dc(printer) AS Printers

Count the number of distinct printer servers and printers


Search only the printer monitor event type.

|dedup JobId, ComputerName

Remove duplicate combinations of JobId  and ComputerName.

|rename ComputerName AS "Print Server" 

Rename the fields as shown for better readability.. 

|stats count(JobId) AS "No. of Print Jobs" BY "Print Server"

Count the number of jobs by Print Server.


     [ stats sum("No. of Print Jobs") AS "Total         No. of Print Jobs"  ]

Use stats to calculate the total number of jobs and use appendpipe to put that information at the end of the outer search results. 


The table below shows sample output from the first search. It shows the number of print servers and printers. If you were to look at all the interesting fields, you could find other items that could be reported on in support of your needs, for example, the name of the document being printed, printer name, printer driver, user, submitted time, and total pages. A simple search of only the source type gives the list of available fields.  

Print Servers Printers



The next table shows sample output from the second search. These results show the number of unique printer jobs run on each print server and the total. This is just one example of the many metrics one could derive from the data set captured by the add-on for Windows. 

Print Server No. of Print  Total No. of Print Jobs











  • Was this article helpful?