Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Unable to index Microsoft-Windows-PrintService...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to index Microsoft-Windows-PrintService/Operational
Hello,
I would like to index all print events generated on Windows Server 2012 Event log. The log is located under Windows Logs, Applications and Services, Microsoft, Windows, PrintService, Operational (and Admin).
I installed a Universal Forwarder on the print server then tried to view logs on my indexer, and the only Available Logs are the standard ones. If I look at Data Inputs for Local Log File Collection, the PrintService logs are available.
Here are the contents of my local\inputs.conf
[default]
host = PS-MAINOFFICE2
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Microsoft-Windows-PrintService/Admin]
disabled = 0
[WinEventLog://Microsoft-Windows-PrintService/Operational]
disabled = 0
Here's what shows in my splunkd.log on the print server:
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WELCheckPoint::saveCheckpointStr: Unable to open checkpoint file='C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\microsoft-windows-printservice/operational' for write
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to save checkpoint_file='C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\microsoft-windows-printservice/operational' for channel='microsoft-windows-printservice/operational'
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='microsoft-windows-printservice/operational'
Am I missing something somewhere?
Thanks,
Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what happened, but the problem seemed to have fixed itself. I'm seeing print events now. A couple things to clarify:
- Make sure the PrintService Operational (and/or Admin) event logs are enabled in Windows.
- Ensure that the inputs.conf file you modified is in C:\Program Files\SplunkUniversalForwarder\etc\system\local
- Restart the Splunk Universal Forwarder service after any modifications to the file.
FWIW, my Splunk Forwarder service runs under LocalSystem account, not a specific user account. Are you seeing the same errors I saw in my Splunk logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking for a solution to this as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you get a solution for this? I'm facing the same error and can not figure out what's going on.
thanks
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!
