According to the Splunk App for Windows infrastructure docs, there should be a printer monitoring input available int the Splunk Add-On for Microsoft Windows. I have been looking all over the config files for the Technology Addon for Windows on my servers that have the app installed with within the universal forwarders, and I can't find any inputs to enable for print job monitoring.
Now, I could simply turn on the input on the Universal Forwarder's config, or add it to the TA's App config, however, the sourcetype expected by the Infrastructure App on my Indexer is "WinPrintMon", and not "WinEventLog:Microsoft-Windows-PrintService/Operational".
If there is an exisiting input on the TA to turn on, where is it?
If not, and I manually have to add it... do I simply force the sourcetype as "WinPrintMon" on the inputs.conf, or do I need to do a bunch of hullaballoo with props and transforms, too?
What version of Splunk is your environment running? For Splunk 6.1.2, both full instances of Splunk Enterprise and universal forwarders for Windows support local collection of printer subsystem information. It can be configured using Splunk web or inputs.conf. The following documentation shows the monitoring configuration stanzas in inputs.conf and the WinPrintMon sourcetype that your indexer is expecting: http://docs.splunk.com/Documentation/Splunk/6.1.2/Data/MonitorWindowsprinterinformation