Skip to main content

 

Splunk Lantern

Printer information in a Windows environment

 

Your boss has asked you to start gathering basic statistics on printer activity in your organization. He would like to know how many print servers and printers there are, as well as what the spooling load is at various times of the day. This information will help with resource planning.

Data required

Windows event logs

Procedure

  1. Verify that you deployed the Splunk Add-on for Microsoft Windows to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Enable the following inputs:
    1. *WinPrintMon://printer
    2. *WinPrintMon://job
    3. *WinPrintMon://driver
    4. *WinPrintMon://port
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
eventtype=printmon_windows 
|stats dc(ComputerName) AS "Print Servers"  dc(printer) AS Printers

4. For detailed information about the jobs running on the servers, run the following search: 

eventtype=printmon_windows 
|dedup JobId, ComputerName 
|rename ComputerName AS "Print Server" 
|stats count(JobId) AS "No. of Print Jobs" BY "Print Server" 
|appendpipe 
    [ stats sum("No. of Print Jobs") AS "Total No. of Print Jobs" 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

eventtype=printmon_windows 

Search only the printer monitor event type. 

|stats dc(ComputerName) AS "Print Servers"  dc(printer) AS Printers

Count the number of distinct printer servers and printers

eventtype=printmon_windows

Search only the printer monitor event type.

|dedup JobId, ComputerName

Remove duplicate combinations of JobId  and ComputerName.

|rename ComputerName AS "Print Server" 

Rename the fields as shown for better readability.. 

|stats count(JobId) AS "No. of Print Jobs" BY "Print Server"

Count the number of jobs by Print Server.

|appendpipe 

     [ stats sum("No. of Print Jobs") AS "Total         No. of Print Jobs"  ]

Use stats to calculate the total number of jobs and use appendpipe to put that information at the end of the outer search results. 

Next steps

The table below shows sample output from the first search. It shows the number of print servers and printers. If you were to look at all the interesting fields, you could find other items that could be reported on in support of your needs, for example, the name of the document being printed, printer name, printer driver, user, submitted time, and total pages. A simple search of only the source type gives the list of available fields.  

Print Servers Printers

3

5

The next table shows sample output from the second search. These results show the number of unique printer jobs run on each print server and the total. This is just one example of the many metrics one could derive from the data set captured by the add-on for Windows. 

Print Server No. of Print  Total No. of Print Jobs

ops-sys-002

100

 

ops-sys-003

100

 

ops-sys-004

100

 
   

300

Finally, you might want to look at similar searches to this in our article Managing printers in a Windows environment