You might want basic information about the printers in your Windows environment when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
|
Category |
Name |
Importance |
|
Add-on |
Required |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
Your boss has asked you to start gathering basic statistics on printer activity in your organization. He would like to know how many print servers and printers there are, as well as what the spooling load is at various times of the day. This information will help with resource planning.
- Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Enable the following inputs:
- *WinPrintMon://printer
- *WinPrintMon://job
- *WinPrintMon://driver
- *WinPrintMon://port
- To see only the number of printers on your network, run the following search:
eventtype=printmon_windows
|stats dc(ComputerName) AS "Print Servers" dc(printer) AS Printers - For detailed information about the jobs running on the servers, run the following search:
eventtype=printmon_windows
|dedup JobId, ComputerName
|rename ComputerName AS "Print Server"
|stats count(JobId) AS "No. of Print Jobs" BY "Print Server"
|appendpipe
[ stats sum("No. of Print Jobs") AS "Total No. of Print Jobs"
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
eventtype=printmon_windows |
Search only the printer monitor event type. |
|
| stats dc(ComputerName) AS "Print Servers" dc(printer) AS Printers |
Count the number of distinct printer servers and printers |
|
Splunk Search |
Explanation |
|
eventtype=printmon_windows |
Search only the printer monitor event type. |
|
| dedup JobId, ComputerName |
Remove duplicate combinations of JobId and ComputerName. |
|
| rename ComputerName AS "Print Server" |
Rename the fields as shown for better readability.. |
|
| stats count(JobId) AS "No. of Print Jobs" BY "Print Server" |
Count the number of jobs by Print Server. |
|
| appendpipe [ stats sum("No. of Print Jobs") AS "Total No. of Print Jobs" ] |
Use stats to calculate the total number of jobs and use appendpipe to put that information at the end of the outer search results. |
Result
The table below shows sample output from the first search. It shows the number of print servers and printers. If you were to look at all the interesting fields, you could find other items that could be reported on in support of your needs, for example, the name of the document being printed, printer name, printer driver, user, submitted time, and total pages. A simple search of only the source type gives the list of available fields.
|
Print Servers |
Printers |
|
3 |
5 |
The next table shows sample output from the second search. These results show the number of unique printer jobs run on each print server and the total. This is just one example of the many metrics one could derive from the data set captured by the add-on for Windows.
|
Print Server |
No. of Print Jobs |
Total No. of Print Jobs |
|
ops-sys-002 |
100 |
|
|
ops-sys-003 |
100 |
|
|
ops-sys-004 |
100 |
|
|
300 |
Comments
0 comments
Please sign in to leave a comment.