Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk query to list all the unused printers from an print server.

sanketas
New Member
‎04-06-2021 11:06 PM

Team,

I have been using this below commands to verify whether particular print queues have printed from the print server.

But I am in need of a query ,filtering the print queues which are offiline \error from many years.

 

host=USSLCP1OPTIO0* SourceName=*Print* | rex "printed on (?<Printer_queue>\w+)" |rex "port (?<Port>\w+)" |rex "Size in bytes: (?<Size>\w+)" | search Printer_queue = * | timechart count(_raw) by Printer_queue

 

host=USSLCPRTHPENG0* SourceName=*Print* | rex "printed on (?<Printer_queue>\w+)" |rex "port (?<Port>\w+)" |rex "Size in bytes: (?<Size>\w+)" | search Printer_queue = * | timechart count(_raw) by Printer_queue limit=150

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-06-2021 11:30 PM

Hi @sanketas,

you could search for the printer_queue that didn't received bytes in the last period.

Only one question: if a printer is inactive or in error, does it send logs?

If yes, you can run something like this:

host=USSLCP1OPTIO0* SourceName=*Print* 
| rex "printed on (?<Printer_queue>\w+)" 
| rex "port (?<Port>\w+)" 
| rex "Size in bytes: (?<Size>\w+)" 
| search Printer_queue = * 
| stats sum(Size) AS Size by Printer_queue
| where Size=0

if instead the inactive printers don't send logs, you have to create a lookup (called e.g. "printers.csv", containing one column called "Printer_queue") containing the printers to monitor and check the list with this lookup, something like this:

host=USSLCP1OPTIO0* SourceName=*Print* 
| rex "printed on (?<Printer_queue>\w+)" 
| rex "port (?<Port>\w+)" 
| rex "Size in bytes: (?<Size>\w+)" 
| search Printer_queue = * 
| stats sum(Size) AS Size by Printer_queue
| append [ | inputlookup printers.csv | eval Size=0 | fields Printer_queue Size ]
| stats sum(Size) AS total BY Printer_queue 
| where total=0

The printers.csv lookup must be maintained using a scheduled search or manually, I prefer the second option to have a better control on the monitoring. 

One additional hint: use always the index in your searches, they are faster!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...