The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkGeneral: Help Parsing general message field and counting the result.

Previous Topic: Extracting last field  |   Next Topic: fail to set up MySQLdb


Posts 1–8 of 8
1
posted by: andybgrant  |  posts
date: March 12, 2010
permalink

Hi

I am new to Splunk am testing it by sending windows event logs from a print server. I am trying to extract how many pages get printed and can sorts the results easily by the number of events per user, however actually counting the number of pages seems a little more difficult. I have browsed the manual and cheat sheet but have been unable to get the results I am looking for. Here is an example of the output from the event log

CategoryString=NULL
ComputerName=BLAH
EventCode=10
EventIdentifier=1073741834
EventType=3
Logfile=System
RecordNumber=225770
SourceName=Print
TimeGenerated=20100311104254.000000+180
TimeWritten=20100311104254.000000+180
Type=Information
User=DOMAIN\USER
wmi_type=WinEventLog:System
Message=Document 192, Microsoft Office Outlook - Memo Style owned by USER was printed on HP Color LaserJet CM4730 MFP PCL 6 via port IP_NUMBERS. Size in bytes: 835612; pages printed: 2

How can I parse our the "pages printed:" and count how many pages have been printed?

Thanks for your help.

2
posted by: gkanapathy  |  posts
date: March 12, 2010
permalink

SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+) | stats sum(pgs)

[Revised on Fri, 12 Mar 2010 23:44:35 -0800]

typo:

SourceName=Print source=*WinEventLog:System | rex "pages printed: (?\d+)" | stats sum(pgs)

[Revised on Fri, 12 Mar 2010 23:45:13 -0800]

ugh, again:

SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+)" | stats sum(pgs)

3
posted by: andybgrant  |  posts
date: March 13, 2010
permalink

gkanapathy

You rock. That is great.

Thanks for the quick reply.

andy

4
posted by: andybgrant  |  posts
date: March 13, 2010
permalink

very cool stuff

List of top ten users who print the most this month

SourceName=Print source=*WinEventLog:System date_month=march | rex "pages printed: (?<pgs>\d+)" | chart sum(pgs) by User | sort -sum(pgs)

5
posted by: andybgrant  |  posts
date: March 27, 2010
permalink

Splunk is very exciting, if a little intimidating to do some of the more advanced reports. My learning project is to provide printing metric and so far I have successfully taken this regex method and parsed values individually out of the "message" field provided by the eventlog forwarding. I am stuck trying to create a stacked chart that counts the total pages printed by a user (easy, that's the above) but then also provides different color values withing the line for different printing sources (Word,Excel,PDF's...) There is a sample of the message field.

Document 99, https://www.visualcompliance.com/vce/rps_listing.cfm owned by USER was printed on HP Color LaserJet via port IP_xxx.xxx.xxx.xxx. Size in bytes: 532028; pages printed: 1

Document 99, https://www.visualcompliance.com/vce/rps_listing.cfm owned by USER was printed on HP Color LaserJet via port IP_xxx.xxx.xxx.xxx. Size in bytes: 473636; pages printed: 1

Document 99, Daily Reports.xls owned by USER was printed on HP Color LaserJet via port IP_10.10.100.7. Size in bytes: 70933; pages printed: 1

Document 99, Microsoft Word - Attachment B -Roof Repair.doc owned by USER was printed on HP Color LaserJet via port IP_xxx.xxx.xxx.xxx. Size in bytes: 26903808; pages printed: 7

Document 98, null owned by USER was printed on HP LaserJet via port IP_xxx.xxx.xxx.xxx. Size in bytes: 100526; pages printed: 3

Document 98, https://www.visualcompliance.com/vce/rps_listing.cfm owned by USER was printed on HP Color LaserJet port IP_xxx.xxx.xxx.xxx. Size in bytes: 473636; pages printed: 1

Document 98, ChangeOfLocation.xls owned by USER was printed on HP LaserJet via port IP_xxx.xxx.xxx.xxx. Size in bytes: 215172; pages printed: 1

Document 98, Crystal Reports - 01.ACCTDI owned by USER was printed on HP LaserJet via port IP_xxx.xxx.xxx.xxx. Size in bytes: 55624; pages printed: 1

Document 97, null owned by USER was printed on HP LaserJet via port IP_xxx.xxx.xxx.xxx. Size in bytes: 116623; pages printed: 2

I am unsure how to approach this.

Thanks

6
posted by: gkanapathy  |  posts
date: March 27, 2010
permalink

SourceName=Print Source=WinEventLog:System | rex "^Document \d+, .*?(?<filetype>\.\w+)? owned.*?pages printed: (?<pgs>\d+)" | chart usenull=t sum(pgs) by User,filetype

will probably do it. Note the first might be done as a multiple-month time chart:

SourceName=Print source=*WinEventLog:System earliest=-4mon@mon latest=@mon | rex "pages printed: (?<pgs>\d+)" | timechart span=1mon sum(pgs) by User

but you can't do that with the one that splits by document type because we can't plot that many axes.

7
posted by: andybgrant  |  posts
date: March 29, 2010
permalink

hmm no results with this. I'll digest the syntax and see what I can figure out.

Thanks for your help gkanapathy

8
posted by: gkanapathy  |  posts
date: March 29, 2010
permalink

yeah, i probably have at least one typo in there, but I hope you get the idea.