Splunk Search

Trying to split the message text in a Windows event log

ssemone
New Member

We are collecting Windows 2008R2 Printer server logs and have identified event_id = 307 as the log that contains information about printed jobs. The Message however, has the rest of the information in it that we want to be able to report on. Namely we want to be able to generate reports with Printer, pages Printed, User, machine. User is easy since that is outside of the log. The others are a bit more difficult. The tactic we are using is to replace via regex those strings we don't want thusly:

source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" Message=* | eval Machine=replace(Message, “^.?on (.?) was printed.?”, “\1”) | eval Printer=replace(Message, “^.?printed on (.?) through port.?”, “\1”) | eval Pages=replace(Message, “^.?Pages printed: (.?). No.*?”, “\1”) | table Machine, Printer, Pages, User

That fails out with this error: SearchException: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“^.?on (.?) was printed.*?”, “\1”)'.

The Message data itself looks like this:

Message="Document 140, Microsoft Word - Document001 owned by personA on Machone001 was printed on HP_Printer001 through port 123.123.123.123. Size in bytes: 1219223. Pages printed: 27. No user action is required."

And we want to isolate three values…

The characters after "Pages Printed:" and up to the ".". In other words the number of pages printed.

Then the same with the string before "through port" so that we know the printer name

Then the string before "was printed" which gives us the name of the machine that originated the print job.

Tags (3)
0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

Try this:

source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" | rex field=_raw "owned by (?<User>.*?) on (?<Machine>.*?) was printed on (?<Printer>.*?) through port .* Pages printed: (?<Pages>\d*)" | table Machine Printer Pages User

You can also toss the regular expressions in your local props.conf:
[WinEventLog:Microsoft-Windows-PrintService/Operational]
EXTRACT-Printer = owned by (?<User>.*?) on (?<Machine>.*?) was printed on (?<Printer>.*?) through port .* Pages printed: (?<Pages>\d*)

And then your query would just become:
source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" | table Machine Printer Pages User

The sourcetype for the props.conf may be off -- I haven't made the jump to LWF yet -- but it should get you close.

View solution in original post

southeringtonp
Motivator

If you want to be more generic, you can always treat these as independent entries.

Technically this is less efficient, but probably not enough to be noticeable.

In transforms.conf:

[winprint-user]
REGEX = owned by (\S+)
FORMAT = user::$1

[winprint-pages]
REGEX = Pages printed: (\d+)
FORMAT = pages::$1

[winprint-machine]
REGEX = was printed on (\S+)
FORMAT = machine::$1

In props.conf:

[WinEventLog:Microsoft-Windows-PrintService/Operational]
REPORT-printing = winprint-user,winprint-pages,winprint-machine
0 Karma

David
Splunk Employee
Splunk Employee

Try this:

source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" | rex field=_raw "owned by (?<User>.*?) on (?<Machine>.*?) was printed on (?<Printer>.*?) through port .* Pages printed: (?<Pages>\d*)" | table Machine Printer Pages User

You can also toss the regular expressions in your local props.conf:
[WinEventLog:Microsoft-Windows-PrintService/Operational]
EXTRACT-Printer = owned by (?<User>.*?) on (?<Machine>.*?) was printed on (?<Printer>.*?) through port .* Pages printed: (?<Pages>\d*)

And then your query would just become:
source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" | table Machine Printer Pages User

The sourcetype for the props.conf may be off -- I haven't made the jump to LWF yet -- but it should get you close.

dionrivera
Path Finder

13 years later and this solution worked like a charm for me. Although, I wasn't able to use the props.conf file. Not sure if that's changed since this topic came up.

0 Karma

David
Splunk Employee
Splunk Employee

As an aside, here is the report I most enjoy:
[PrinterQuery| stats sum(Pages) as TotalPages by UserName | sort limit=10 -TotalPages | fields - TotalPages] PrinterQuery | chart sum(Pages) by User,Printer
The first part is a subquery that will generate a list of the top 10 users. The second part will put a chart of their printing habits. With the two combined, you can generate a stacked bar graph on a dashboard that will constantly show you the activities of your top printers.

0 Karma

David
Splunk Employee
Splunk Employee

Excellent! I'm glad to hear it works. And yeah -- Splunk really is awesome. Looking at printer logs (which I'd been sending to Splunk for about a year, but was totally unaware of) and all of a sudden being able to create interesting and useful reports was easy and awesome.

0 Karma

ssemone
New Member

This did it, thanks. We'll test out doing this via props.conf as well. Splunk is awesome.

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...