topic Re: Trying to split the message text in a Windows event log in Splunk Search

Trying to split the message text in a Windows event log

ssemone — Thu, 04 Nov 2010 03:38:25 GMT

We are collecting Windows 2008R2 Printer server logs and have identified event_id = 307 as the log that contains information about printed jobs. The Message however, has the rest of the information in it that we want to be able to report on. Namely we want to be able to generate reports with Printer, pages Printed, User, machine. User is easy since that is outside of the log. The others are a bit more difficult. The tactic we are using is to replace via regex those strings we don't want thusly:

source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" Message=* | eval Machine=replace(Message, “^.?on (.?) was printed.?”, “\1”) | eval Printer=replace(Message, “^.?printed on (.?) through port.?”, “\1”) | eval Pages=replace(Message, “^.?Pages printed: (.?). No.*?”, “\1”) | table Machine, Printer, Pages, User

That fails out with this error: SearchException: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“^.?on (.?) was printed.*?”, “\1”)'.

The Message data itself looks like this:

Message="Document 140, Microsoft Word - Document001 owned by personA on Machone001 was printed on HP_Printer001 through port 123.123.123.123. Size in bytes: 1219223. Pages printed: 27. No user action is required."

And we want to isolate three values…

The characters after "Pages Printed:" and up to the ".". In other words the number of pages printed.

Then the same with the string before "through port" so that we know the printer name

Then the string before "was printed" which gives us the name of the machine that originated the print job.

Re: Trying to split the message text in a Windows event log

David — Thu, 04 Nov 2010 06:50:04 GMT

Try this:

source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" | rex field=_raw "owned by (?<User>.*?) on (?<Machine>.*?) was printed on (?<Printer>.*?) through port .* Pages printed: (?<Pages>\d*)" | table Machine Printer Pages User

You can also toss the regular expressions in your local props.conf:
[WinEventLog:Microsoft-Windows-PrintService/Operational]
EXTRACT-Printer = owned by (?<User>.*?) on (?<Machine>.*?) was printed on (?<Printer>.*?) through port .* Pages printed: (?<Pages>\d*)

And then your query would just become:
source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" | table Machine Printer Pages User

The sourcetype for the props.conf may be off -- I haven't made the jump to LWF yet -- but it should get you close.

Re: Trying to split the message text in a Windows event log

southeringtonp — Thu, 04 Nov 2010 07:13:39 GMT

If you want to be more generic, you can always treat these as independent entries.

Technically this is less efficient, but probably not enough to be noticeable.

In transforms.conf:

[winprint-user]
REGEX = owned by (\S+)
FORMAT = user::$1

[winprint-pages]
REGEX = Pages printed: (\d+)
FORMAT = pages::$1

[winprint-machine]
REGEX = was printed on (\S+)
FORMAT = machine::$1

In props.conf:

[WinEventLog:Microsoft-Windows-PrintService/Operational]
REPORT-printing = winprint-user,winprint-pages,winprint-machine

Re: Trying to split the message text in a Windows event log

ssemone — Fri, 05 Nov 2010 06:06:38 GMT

This did it, thanks. We'll test out doing this via props.conf as well. Splunk is awesome.

Re: Trying to split the message text in a Windows event log

David — Fri, 05 Nov 2010 07:52:12 GMT

Excellent! I'm glad to hear it works. And yeah -- Splunk really is awesome. Looking at printer logs (which I'd been sending to Splunk for about a year, but was totally unaware of) and all of a sudden being able to create interesting and useful reports was easy and awesome.

Re: Trying to split the message text in a Windows event log

David — Fri, 05 Nov 2010 07:55:45 GMT

As an aside, here is the report I most enjoy:
[PrinterQuery| stats sum(Pages) as TotalPages by UserName | sort limit=10 -TotalPages | fields - TotalPages] PrinterQuery | chart sum(Pages) by User,Printer
The first part is a subquery that will generate a list of the top 10 users. The second part will put a chart of their printing habits. With the two combined, you can generate a stacked bar graph on a dashboard that will constantly show you the activities of your top printers.

Re: Trying to split the message text in a Windows event log

dionrivera — Fri, 03 Mar 2023 00:11:36 GMT

13 years later and this solution worked like a charm for me. Although, I wasn't able to use the props.conf file. Not sure if that's changed since this topic came up.