<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Help with a free disk space query. in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628898#M107909</link>
    <description>&lt;P&gt;Making more headway but not 100% there, I tried "values" for stats in the case of instance and I got all the drive letters tied to the hosts but I can't seem to get the values themselves to populate:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;(index=main) sourcetype=perfmon:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes| search counter="% Free Space" | stats latest(_time) as _time, values(instance) as instance, latest(Value) as Value by host | eval Time=strftime (_time,"%Y-%m-%d %H:%M:%S") | table Time, host, instance, Value | eval Value=round(Value,0) | rename Value AS "Free%" | rename instance AS "Drive" | rename host AS "Host"&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thebankitgui_0-1675107695547.png" style="width: 695px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/23618i39CCE943FA01266D/image-dimensions/695x443?v=v2" width="695" height="443" role="button" title="thebankitgui_0-1675107695547.png" alt="thebankitgui_0-1675107695547.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Mon, 30 Jan 2023 19:42:10 GMT</pubDate>
    <dc:creator>thebankitgui</dc:creator>
    <dc:date>2023-01-30T19:42:10Z</dc:date>
    <item>
      <title>Help with a free disk space query</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628892#M107907</link>
      <description>&lt;P&gt;Hello Splunkers,&lt;/P&gt;
&lt;P&gt;I am attempting to gather the free disk space of all servers and create a report / alert based on it. Thus far I have the SPL set so it outputs the Time, Host, Drive and % Free but the results come back in a long list of pages.&lt;/P&gt;
&lt;P&gt;What I'd like to do is two-fold. First part is getting one result per Drive, so one result for each drive on a host and then I'd like to set up an alert for low disk space. Here's my SPL so far:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;LI-CODE lang="markup"&gt;(index=main) sourcetype=perfmon:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes| search counter="% Free Space" | eval Time=strftime (_time,"%Y-%m-%d %H:%M:%S") | table Time, host, instance, Value | eval Value=round(Value,0) | rename Value AS "Free%" | rename instance AS "Drive" | rename host AS "Host"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The result is:&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thebankitgui_0-1675106121563.png" style="width: 570px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/23615i1AFBE26F8BE18835/image-dimensions/570x305?v=v2" width="570" height="305" role="button" title="thebankitgui_0-1675106121563.png" alt="thebankitgui_0-1675106121563.png" /&gt;&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 31 Jan 2023 14:27:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628892#M107907</guid>
      <dc:creator>thebankitgui</dc:creator>
      <dc:date>2023-01-31T14:27:47Z</dc:date>
    </item>
    <item>
      <title>Re: Help with a free disk space query.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628894#M107908</link>
      <description>&lt;P&gt;I've gotten it to list one drive per host but I can't seem to manipulate the SPL to show me all drives.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;(index=main) sourcetype=perfmon:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes| search counter="% Free Space" | stats latest(_time) as _time, latest(instance) as instance, latest(Value) as Value by host | eval Time=strftime (_time,"%Y-%m-%d %H:%M:%S") | table Time, host, instance, Value | eval Value=round(Value,0) | rename Value AS "Free%" | rename instance AS "Drive" | rename host AS "Host"&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thebankitgui_0-1675107018867.png" style="width: 659px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/23616i2702E2D7901E5877/image-dimensions/659x201?v=v2" width="659" height="201" role="button" title="thebankitgui_0-1675107018867.png" alt="thebankitgui_0-1675107018867.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 30 Jan 2023 19:44:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628894#M107908</guid>
      <dc:creator>thebankitgui</dc:creator>
      <dc:date>2023-01-30T19:44:01Z</dc:date>
    </item>
    <item>
      <title>Re: Help with a free disk space query.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628898#M107909</link>
      <description>&lt;P&gt;Making more headway but not 100% there, I tried "values" for stats in the case of instance and I got all the drive letters tied to the hosts but I can't seem to get the values themselves to populate:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;(index=main) sourcetype=perfmon:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes| search counter="% Free Space" | stats latest(_time) as _time, values(instance) as instance, latest(Value) as Value by host | eval Time=strftime (_time,"%Y-%m-%d %H:%M:%S") | table Time, host, instance, Value | eval Value=round(Value,0) | rename Value AS "Free%" | rename instance AS "Drive" | rename host AS "Host"&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thebankitgui_0-1675107695547.png" style="width: 695px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/23618i39CCE943FA01266D/image-dimensions/695x443?v=v2" width="695" height="443" role="button" title="thebankitgui_0-1675107695547.png" alt="thebankitgui_0-1675107695547.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 30 Jan 2023 19:42:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628898#M107909</guid>
      <dc:creator>thebankitgui</dc:creator>
      <dc:date>2023-01-30T19:42:10Z</dc:date>
    </item>
    <item>
      <title>Re: Help with a free disk space query.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628905#M107910</link>
      <description>&lt;P&gt;Alright, now I have the alert set up and it works but then the e-mail it sends will include all results over 1 minute with lots of duplicates. Now I need a way to say in the alert which host had low disk space. I have a custom trigger alert for free% &amp;lt; 10 so it will give me a long list of hosts repeated and the one less than 10 is in there (SSBDESKTOP2 in this instance). Just need to get it narrowed down:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thebankitgui_0-1675113750203.png" style="width: 544px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/23619iE1CCF4029C74B95B/image-dimensions/544x442?v=v2" width="544" height="442" role="button" title="thebankitgui_0-1675113750203.png" alt="thebankitgui_0-1675113750203.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thebankitgui_1-1675113820575.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/23620i51C8D1407793D042/image-size/medium?v=v2&amp;amp;px=400" role="button" title="thebankitgui_1-1675113820575.png" alt="thebankitgui_1-1675113820575.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 30 Jan 2023 21:25:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-a-free-disk-space-query/m-p/628905#M107910</guid>
      <dc:creator>thebankitgui</dc:creator>
      <dc:date>2023-01-30T21:25:37Z</dc:date>
    </item>
  </channel>
</rss>

