We are collecting Windows 2008R2 Printer server logs and have identified event_id = 307 as the log that contains information about printed jobs. The Message however, has the rest of the information in it that we want to be able to report on. Namely we want to be able to generate reports with Printer, pages Printed, User, machine. User is easy since that is outside of the log. The others are a bit more difficult. The tactic we are using is to replace via regex those strings we don't want thusly:
source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode="307" Message=* | eval Machine=replace(Message, “^.?on (.?) was printed.?”, “\1”) | eval Printer=replace(Message, “^.?printed on (.?) through port.?”, “\1”) | eval Pages=replace(Message, “^.?Pages printed: (.?). No.*?”, “\1”) | table Machine, Printer, Pages, User
That fails out with this error:
SearchException: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“^.?on (.?) was printed.*?”, “\1”)'.
The Message data itself looks like this:
Message="Document 140, Microsoft Word - Document001 owned by personA on Machone001 was printed on HP_Printer001 through port 123.123.123.123. Size in bytes: 1219223. Pages printed: 27. No user action is required."
And we want to isolate three values…
The characters after "Pages Printed:" and up to the ".". In other words the number of pages printed.
Then the same with the string before "through port" so that we know the printer name
Then the string before "was printed" which gives us the name of the machine that originated the print job.
... View more