Solved: Is there any configuration tricks concerning getti...

scottrunyon · ‎03-23-2018

We all know that Windows reporting and event logging are a complete mess, so this might not be a Splunk issue but I have to ask.

I have set up inputs.config to ingest Windows print jobs on a UF -
[WinPrintMon://jobs]
type=job
index=winprintmon

I am getting multiple copies of some events and only part of some events and missing some entirely. I noticed that the interval defaults to 60 seconds. There is a "special value" of 0, that forces this scripted input to be run continuously, If I would set the interval to 0, would this help? Or maybe making the interval longer, say interval=300, would decrease the duplicates?

As always, any help would be greatly appreciated so I can stopping pestering my Server Admin 🙂

Scott

Azeemering · ‎03-24-2018

I would actually increase the interval (600) and test what happens with that. Print servers are generally not too busy....
Also add baseline=0

View solution in original post

Azeemering · ‎03-24-2018

I would actually increase the interval (600) and test what happens with that. Print servers are generally not too busy....
Also add baseline=0

scottrunyon · ‎04-03-2018

I am adding those to the config. Hopefully it works.

Scott

scottrunyon · ‎04-06-2018

These changes didn't help.

I spoke with the system admin and after looking at the logs, he is opening a ticket with Microsoft.

Is there any configuration tricks concerning getting Windows Print Jobs into splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life