Re: Splunk query to list all the unused printers f...

sanketas · ‎04-06-2021

Team,

I have been using this below commands to verify whether particular print queues have printed from the print server.

But I am in need of a query ,filtering the print queues which are offiline \error from many years.

gcusello · ‎04-06-2021

Hi @sanketas,

you could search for the printer_queue that didn't received bytes in the last period.

Only one question: if a printer is inactive or in error, does it send logs?

If yes, you can run something like this:

host=USSLCP1OPTIO0* SourceName=*Print* 
| rex "printed on (?<Printer_queue>\w+)" 
| rex "port (?<Port>\w+)" 
| rex "Size in bytes: (?<Size>\w+)" 
| search Printer_queue = * 
| stats sum(Size) AS Size by Printer_queue
| where Size=0

if instead the inactive printers don't send logs, you have to create a lookup (called e.g. "printers.csv", containing one column called "Printer_queue") containing the printers to monitor and check the list with this lookup, something like this:

host=USSLCP1OPTIO0* SourceName=*Print* 
| rex "printed on (?<Printer_queue>\w+)" 
| rex "port (?<Port>\w+)" 
| rex "Size in bytes: (?<Size>\w+)" 
| search Printer_queue = * 
| stats sum(Size) AS Size by Printer_queue
| append [ | inputlookup printers.csv | eval Size=0 | fields Printer_queue Size ]
| stats sum(Size) AS total BY Printer_queue 
| where total=0

The printers.csv lookup must be maintained using a scheduled search or manually, I prefer the second option to have a better control on the monitoring.

One additional hint: use always the index in your searches, they are faster!

Ciao.

Giuseppe

Splunk query to list all the unused printers from an print server.

chart

stats

timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!