Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

winprintmon search results aren't showing the proper results for "total_pages"

pmac22
Path Finder
‎02-20-2019 08:26 AM

Hello, I'm having some issues with results for "total_pages" and "page_printed" field(s) showing the incorrect print page count. I have enabled the correct stanzas in the inputs.conf file for pulling winprintmon data and I can search it but the results are skewed. As an example, I printed a 4 page doc but in the search results the "total_pages" count is only showing 1 page and the "page_printed" is showing 0 pages. I created a new index just for the print info...

search = index=win_print host=printserver user=p_mac22 operation=set

search results:
operation=set
type=PrintJob
printer="my printer"
machine="my_laptop"
user="p_mac22"
document="new 1"
notify_name="p_mac22"
JobId=24
data_type="RAW"
print_processor="hpcpp175"
parameters=
driver_name="HP Universal Printing PCL 6 (v6.0.0)"
status="spooling,printing"
priority=1
total_pages=1
size_bytes=120
submitted_time="02/20/2019 15:44:34.901"
page_printed=0

The ms winevent (event viewer->application and service logs->Microsoft->Windows->PrintService->Operational) eventcode 307 gives the following details:
Document 24, Print Document owned by "p_mac22" on "my_laptop" was printed on "my printer" through port "my printer". Size in bytes: 92128. Pages printed: 4. No user action is required.

The XML details are:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="Microsoft-Windows-PrintService" Guid="{747EF6FD-E535-4D16-B510-42C90F6873A1}" /> 
 <EventID>307</EventID> 
<Version>0</Version> 
<Level>4</Level> 
<Task>26</Task> 
<Opcode>11</Opcode> 
<Keywords>0x4000000000000840</Keywords> 
<TimeCreated SystemTime="2019-02-20T15:44:35.213605400Z" /> 
<EventRecordID>22345065</EventRecordID> 
<Correlation /> 
<Execution ProcessID="796" ThreadID="3336" /> 
<Channel>Microsoft-Windows-PrintService/Operational</Channel> 
<Computer>Print Server</Computer> 
<Security UserID="S-1-5-21-3251799238-2349058309-3148061615-88888" /> 
</System>
 <UserData>
 <DocumentPrinted xmlns="http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events">
 <Param1>24</Param1> 
 <Param2>Print Document</Param2> 
 <Param3>p_mac22</Param3> 
 <Param4>my laptop</Param4> 
 <Param5>my printer</Param5> 
 <Param6>my printer</Param6> 
 <Param7>92128</Param7> 
 <Param8>4</Param8> 
 </DocumentPrinted>
 </UserData>
 </Event>

Any ideas on how I can either get the correct search data/results for the print jobs or suggestions on what I may have configured incorrectly?

Thank you!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pmac22
Path Finder
‎02-27-2019 07:54 AM

So I have some feedback from support which I'm thankful for, even though it's not a solution... They say it's a bug in MS.

"Basically, rather than holding up computer operations while the CPU (fast) controls the printer (slow) directly, the file to be printed is written to a separate directory where a special subsystem handles the printing job thus offloading the CPU."
So, the job is not completed yet, but we decide not to index any further when we see this Status.

My workaround now is going to be adding a new line in the stanza of the inputs.conf file to pull int the PrinterSerivces>Operational logs of my print servers and just do a query for eventcode=307 for my reporting. It's gonna be messy but hopefully it will give me what I need.

If anyone else has any other suggestions, please let me know.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pmac22
Path Finder
‎02-27-2019 07:54 AM

So I have some feedback from support which I'm thankful for, even though it's not a solution... They say it's a bug in MS.

"Basically, rather than holding up computer operations while the CPU (fast) controls the printer (slow) directly, the file to be printed is written to a separate directory where a special subsystem handles the printing job thus offloading the CPU."
So, the job is not completed yet, but we decide not to index any further when we see this Status.

My workaround now is going to be adding a new line in the stanza of the inputs.conf file to pull int the PrinterSerivces>Operational logs of my print servers and just do a query for eventcode=307 for my reporting. It's gonna be messy but hopefully it will give me what I need.

If anyone else has any other suggestions, please let me know.

0 Karma
Reply
Solved! Jump to solution

Bob_Ske
New Member
‎09-07-2021 12:25 PM

Hey there,

 

I know this is old but could I ask what you added to inputs.conf to resolve this? I'm currently running into this issue now.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...