Solved

SQL Query of Print event ID 10 in event viewer

Posted on 2011-02-15
4
698 Views
Last Modified: 2012-05-11
I have logparser 2.2 from microsoft.  ANd I have some example SQL queries for event viewer.
But I'm not an SQL person so I don't know how to modify this query.
The below query prints out who printed in the last 2 days and how many pages and the total file size.
I want a specific date range, like 2/4/11 thru 2/7/11 not the last 2 days
Can someone modify this so I can run that?
ALso, I'd prefer details instead of just totals, like filenames is really what I'm looking for.
The below script gives you totals

DatePrinted      FileOwner           FileSizeTotal      PagesPrintedTotal
2011-02-14      Julia          1216267      10
2011-02-15      Julia      116490016      69
2011-02-15      Paul      6499548                      58

SCRIPT BELOW:

SELECT
      TO_STRING(TimeGenerated, 'yyyy-MM-dd') AS DatePrinted,
      SUBSTR( Message, ADD(INDEX_OF(Message, ' owned by '), 10), SUB(SUB(INDEX_OF(Message, ' was printed on '), INDEX_OF(Message, ' owned by ' )), 10) )  AS FileOwner,
      SUM(TO_INT(SUBSTR( Message, ADD(INDEX_OF(Message, '. Size in bytes: '), 17), SUB(SUB(INDEX_OF(Message, '; pages printed: '), INDEX_OF(Message, '. Size in bytes: ' )), 17) ) ) ) AS FileSizeTotal,
      SUM(TO_INT(TRIM(SUBSTR( Message, ADD(INDEX_OF(Message, '; pages printed: '), 17), SUB(SUB(STRLEN(Message), INDEX_OF(Message, '; pages printed: ' )), 17) ) ) ) ) AS PagesPrintedTotal
INTO PrintJobsLast2DaysByOwner.txt
FROM System
WHERE (EventID = 10
      AND TimeGenerated >
            SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-03 00:00:00', 'yyyy-MM-dd hh:mm:ss'))
      )
GROUP BY DatePrinted, FileOwner


SELECT 
	TO_STRING(TimeGenerated, 'yyyy-MM-dd') AS DatePrinted,
	SUBSTR( Message, ADD(INDEX_OF(Message, ' owned by '), 10), SUB(SUB(INDEX_OF(Message, ' was printed on '), INDEX_OF(Message, ' owned by ' )), 10) )  AS FileOwner,
	SUM(TO_INT(SUBSTR( Message, ADD(INDEX_OF(Message, '. Size in bytes: '), 17), SUB(SUB(INDEX_OF(Message, '; pages printed: '), INDEX_OF(Message, '. Size in bytes: ' )), 17) ) ) ) AS FileSizeTotal,
	SUM(TO_INT(TRIM(SUBSTR( Message, ADD(INDEX_OF(Message, '; pages printed: '), 17), SUB(SUB(STRLEN(Message), INDEX_OF(Message, '; pages printed: ' )), 17) ) ) ) ) AS PagesPrintedTotal
INTO PrintJobsLast2DaysByOwner.txt 
FROM System 
WHERE (EventID = 10 
	AND TimeGenerated >
		SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-03 00:00:00', 'yyyy-MM-dd hh:mm:ss'))
	)
GROUP BY DatePrinted, FileOwner

Open in new window

0
Comment
Question by:atrevido
  • 2
  • 2
4 Comments
 
LVL 40

Expert Comment

by:Sharath
ID: 34902274
check this.
SELECT t1.*, 
       SUM(TO_INT(SUBSTR(t1.Message,ADD(INDEX_OF(t1.Message,'. Size in bytes: '), 
                                        17),SUB(SUB(INDEX_OF(t1.Message,'; pages printed: '),
                                                    INDEX_OF(t1.Message,'. Size in bytes: ')),
                                                17)))) 
         OVER(PARTITION BY DatePrinted,FileOwner ) AS FileSizeTotal, 
       SUM(TO_INT(TRIM(SUBSTR(t1.Message,ADD(INDEX_OF(t1.Message,'; pages printed: '), 
                                             17),SUB(SUB(STRLEN(t1.Message),INDEX_OF(t1.Message,'; pages printed: ')),
                                                     17))))) 
         OVER(PARTITION BY DatePrinted,FileOwner ) AS PagesPrintedTotal 
  INTO PrintJobsLast2DaysByOwner.txt 
  FROM (SELECT TO_STRING(t1.TimeGenerated,'yyyy-MM-dd') AS DatePrinted, 
               SUBSTR(Message,ADD(INDEX_OF(t1.Message,' owned by '),10), 
                      SUB(SUB(INDEX_OF(t1.Message,' was printed on '),INDEX_OF(t1.Message,' owned by ')),
                          10)) AS FileOwner, 
               t1.* 
          FROM System AS t1 
         WHERE (EventID = 10 
                AND TimeGenerated > SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()),TIMESTAMP('0000-01-03 00:00:00','yyyy-MM-dd hh:mm:ss')))) AS t1

Open in new window

0
 
LVL 12

Author Comment

by:atrevido
ID: 34902352
that didn't work

C:\Program Files\Log Parser 2.2>LogParser.exe -i:EVT -o:TSV file:test.sql
Error: Syntax Error: <from-clause>: expecting FROM keyword instead of token '*,'

but i figured at least the 3 day window out.

SELECT
      TO_STRING(TimeGenerated, 'yyyy-MM-dd') AS DatePrinted,
      SUBSTR( Message, ADD(INDEX_OF(Message, ' owned by '), 10), SUB(SUB(INDEX_OF(Message, ' was printed on '), INDEX_OF(Message, ' owned by ' )), 10) )  AS FileOwner,
      SUM(TO_INT(SUBSTR( Message, ADD(INDEX_OF(Message, '. Size in bytes: '), 17), SUB(SUB(INDEX_OF(Message, '; pages printed: '), INDEX_OF(Message, '. Size in bytes: ' )), 17) ) ) ) AS FileSizeTotal,
      SUM(TO_INT(TRIM(SUBSTR( Message, ADD(INDEX_OF(Message, '; pages printed: '), 17), SUB(SUB(STRLEN(Message), INDEX_OF(Message, '; pages printed: ' )), 17) ) ) ) ) AS PagesPrintedTotal
INTO PrintJobsFeb4ByOwner.txt
FROM System
WHERE (EventID = 10
      AND TimeGenerated BETWEEN TO_TIMESTAMP('2011-02-04 17:00:00', 'yyyy-MM-dd hh:mm:ss') AND TO_TIMESTAMP('2011-02-07 08:00:00', 'yyyy-MM-dd hh:mm:ss')

      )
GROUP BY DatePrinted, FileOwner
0
 
LVL 40

Accepted Solution

by:
Sharath earned 500 total points
ID: 34902379
may be this?
SELECT t1.*, 
       SUM(TO_INT(SUBSTR(t1.Message,ADD(INDEX_OF(t1.Message,'. Size in bytes: '), 
                                        17),SUB(SUB(INDEX_OF(t1.Message,'; pages printed: '),
                                                    INDEX_OF(t1.Message,'. Size in bytes: ')),
                                                17)))) 
         OVER(PARTITION BY t1.DatePrinted,t1.FileOwner ) AS FileSizeTotal, 
       SUM(TO_INT(TRIM(SUBSTR(t1.Message,ADD(INDEX_OF(t1.Message,'; pages printed: '), 
                                             17),SUB(SUB(STRLEN(t1.Message),INDEX_OF(t1.Message,'; pages printed: ')),
                                                     17))))) 
         OVER(PARTITION BY t1.DatePrinted,t1.FileOwner ) AS PagesPrintedTotal 
  INTO PrintJobsLast2DaysByOwner.txt 
  FROM (SELECT TO_STRING(t1.TimeGenerated,'yyyy-MM-dd') AS DatePrinted, 
               SUBSTR(Message,ADD(INDEX_OF(t1.Message,' owned by '),10), 
                      SUB(SUB(INDEX_OF(t1.Message,' was printed on '),INDEX_OF(t1.Message,' owned by ')),
                          10)) AS FileOwner, 
               t1.* 
          FROM System AS t1 
         WHERE (EventID = 10 
                AND TimeGenerated > SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()),TIMESTAMP('0000-01-03 00:00:00','yyyy-MM-dd hh:mm:ss')))) AS t1

Open in new window

0
 
LVL 12

Author Closing Comment

by:atrevido
ID: 34956193
I partially answered the question and the first attempt by the expert had many syntax errors.  Thanks for your help, you sent me in the right direction
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question