- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Issue with printmon query not showing the proper r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with printmon query not showing the proper results for "total_pages"
ALCON,
Hello, I am having issues with printmon query results not showing the proper results for "total_pages". The page_printed is always equal to zero (0). Moreover, total_pages value is also not right as when I print 5 pages it is telling only 1. Any solution to that?
One Example Query: (ALL "printmon" Queries give me the same inaccurate results)
Index=wineventlog eventtype=printmon_windows (host=”Printer Name” OR host=”Printer Name”) user=”If looking for specific user info”
| table _time, user, document, machine, printer, driver_name, total-pages, size_bytes
| rename user as “User”, document as “Document”, machine as “Host”, printer as “Location”, driver_name as “Driver”, total_pages as “Total Pages”, size_bytes as “Bytes”
| dedup document
| sort - _time
Other Links about Subject but old info without any solution or fix:
1. WinPrintMon not logging page_printed correctly (24May2015)
2. 1winprintmon search results aren't showing the proper results for "total_pages" (20Feb2019 at 0826)
Please provide example query or where to find the fix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yuanliu,
You were correct. During an audit of the PrintMon inputs, we discovered that the system\default configuration on all servers was disabling the necessary inputs on the print server. After modifying and consolidating the inputs from all servers to the print server, the print service\operational log, including Event ID 307 with the "total_pages" field, is now being collected correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forget all the older posts that do not have answer. So, you are telling fellow Splunk users that you have a Windows source that that outputs 0 in page_printed field when someone printed more than 0 pages on a Windows machine, and when you print 5 pages on that Windows machine, this Windows source gives 1 in total_pages field. Is this correct? Because that is what your sample code would suggest. There is nothing Splunk does in your code to change, or aggregate, or do anything to affect these field values. If all the older posts you linked are like this, no wonder they receive no answer. Because this is not a Splunk question.
I suggest the following:
- Examine eventlog directly on that Windows machine to see if it has the correct values. Troubleshoot Windows if those values are believed to be bad. Splunk forum will not be useful to you.
- Compare the source events Splunk ingested from that Windows machine with your direct copy of Windows log. Troubleshoot ingestion problem if they are different. (Getting Data In is a better forum for this. But make sure you present evidence that the two are different. Alternatively, engage support.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yuanliu,
Thanks for the info and I will look into that and respond with my finding.
Fueling your curiosity with new Splunk ILT and eLearning courses
Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...
Unleash Unified Security and Observability with Splunk Cloud Platform
