Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Combining 'timechart' and 'top' in a report? (looking for printers with most pages printed)
I'm a very beginning Splunk user. My main job is on the phones/email in the call center, but I'm also involved with all the printer maintenance on project. Got into Splunk in an effort to build some reports on printer usage, and later on reporting frequent printer errors in an effort to find problem printers early. We've had it running for awhile, but I'm really the first person here to start messing with it.
Anyway, I've managed fairly easily to get a search/report on pages printed.
host="printserver" source="WinEventLog:System" Pages="*" | timechart sum(Pages)
From the print server, narrow it down to System events, and only ones that have a page count field, then graph it out. Gonna work great for looking at our monthly print quantities.
What I'd like to do is figure out the individual printers that have printed the most pages. Then select whatever timeframe I'm looking at.
I can easily get the top printers with the following, but it only gives me the ones with the most print jobs, not most pages.
host="printserver" source="WinEventLog:System" Pages="*" | top printer limit=30
I'm trying to figure out how to combine the two, but just not getting anywhere. Either its something simple that I'm overlooking or don't know about, or its going to be something a little odd.
Any ideas?
Anyway, I've managed fairly easily to get a search/report on pages printed.
host="printserver" source="WinEventLog:System" Pages="*" | timechart sum(Pages)
From the print server, narrow it down to System events, and only ones that have a page count field, then graph it out. Gonna work great for looking at our monthly print quantities.
What I'd like to do is figure out the individual printers that have printed the most pages. Then select whatever timeframe I'm looking at.
I can easily get the top printers with the following, but it only gives me the ones with the most print jobs, not most pages.
host="printserver" source="WinEventLog:System" Pages="*" | top printer limit=30
I'm trying to figure out how to combine the two, but just not getting anywhere. Either its something simple that I'm overlooking or don't know about, or its going to be something a little odd.
Any ideas?
Views: 34
Replies to This Discussion
-
Permalink Reply by Bob Munson on -
Ian
The timechart command can do a lot more than you are asking of it for instance if you want daily totals split by printer, you can use
host="printserver" source="WinEventLog:System" Pages="*" | timechart span=1d sum(Pages) as Pages/day by printer
Or if you want a top list of printers use the chart command, sort it and pick the top 30.
host="printserver" source="WinEventLog:System" Pages="*" | chart sum(Pages) as Pages/day over printer | sort -Pages/day | head 30
I hope that Helps
Bob
-
Permalink Reply by Ian Hoffman on
-
That is... EXCELLENT! Thanks!
That also got me going on some other stuff I'm working with, hadn't realized being able to chain the commands like that. Also doing the chart command with 'as' and 'over', going to be able to make use of that.
We're looking at printer use over the last 30 and 90 days, so my next step is to work on getting this as a summary index and then reporting on that. Then to work on having it in a dashboard view. And then working on getting printer errors captured in Splunk and getting those to a dashboard showing the printers with the most errors, hopefully finding the problem hardware before its a problem.
Still just getting going with this, but having fun, and know that I've got a ways to go.
© 2012 Created by Michael Wilde.
