Alerting

Free disk space

ravir_jbp
Explorer

I am trying to get the free space in % for C,D and E drive. I have below events in splunk. 

 

02/25/2021 08:22:32.272 -0600
collection=LogicalDisk
object=LogicalDisk
counter="% Free Space"
instance=E:
Value=4284.377358490566

02/25/2021 08:20:32.264 -0600
collection=LogicalDisk
object=LogicalDisk
counter="% Free Space"
instance=D:
Value=98.32841691248771

02/25/2021 08:26:32.298 -0600
collection=LogicalDisk
object=LogicalDisk
counter="% Free Space"
instance=C:
Value=43.12314853999153

 

I am looking for the data like

server name  Drive   Free space available

xyz                    C:          20%

xyz           😧           30%

Tags (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

Your first sample event seems wrong, I assume it is typo.  But please try this

index=windows collection=LogicalDisk object=LogicalDisk
| stats latest(Value) as value by host instance
| eval value=round(value,0).%
| rename instance as Drive, host as "Server Name", value as "Free space available"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

ravir_jbp
Explorer

Hi scelikok,

 

I am getting below error while execting the script:

 

"Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%'. The search job has failed due to an error. You may be able view the job in the Job Inspector."

0 Karma

scelikok
SplunkTrust
SplunkTrust

Sorry about I have forgotten quotes, please try below;

index=windows collection=LogicalDisk object=LogicalDisk
| stats latest(Value) as value by host instance
| eval value=round(value,0)."%"
| rename instance as Drive, host as "Server Name", value as "Free space available"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

you should have also another info about your disks: the total space "TotalSpaceKB",

In this way you can calculate the percentage of free space.

I used the following search in a dashboard:

index=windows sourcetype=WinHostMon DriveType=fixed
| stats latest(TotalSpaceKB) AS TotalSpaceKB latest(FreeSpaceKB) AS FreeSpaceKB by host 
| eval 
     Perc=(FreeSpaceKB/TotalSpaceKB)*100,
     TotalSpaceGB=TotalSpaceKB/1024/1024, 
     FreeSpaceGB=FreeSpaceKB/1024/1024 
| sort host 
| table hostTotalSpaceGB FreeSpaceGB Perc 
| rename host AS "Server Name" Name AS "Drive" Perc AS "FreeSpace%"

that you could adapt to your needs.

Ciao.

Giuseppe

 

0 Karma

ravir_jbp
Explorer

 

Hi gcusello,

 

I did not find any thing with "TotalSpaceKB" counter. But I found below one. I tried to run 

index=perfmon host=XXXXXXXX sourcetype="Perfmon:LogicalDisk" counter="Free Megabytes" instance="C:" OR instance="D:" OR instance="E:" | dedup instance, host

 

I am getting the events but I am trying to get that in table format with total free space in GB. Currently its showing as MB. Can you help me to conver this into GB.

 

Time Event
3/1/21
3:45:51.000 AM
03/01/2021 03:45:51.126 -0600
collection=LogicalDisk
object=LogicalDisk
counter="Free Megabytes"
instance=E:
Value=57853
Collapse
host = XXXXX source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk
3/1/21
3:45:51.000 AM
03/01/2021 03:45:51.126 -0600
collection=LogicalDisk
object=LogicalDisk
counter="Free Megabytes"
instance=D:
Value=5001
Collapse
host = XXXXXXX source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk
3/1/21
3:45:51.000 AM
03/01/2021 03:45:51.126 -0600
collection=LogicalDisk
object=LogicalDisk
counter="Free Megabytes"
instance=C:
Value=57853
host = XXXXXX source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

to convert the value from MB to GB, you have to use the eval command:

| eval FreeGigabytes=Value/1024

Ciao.

Giuseppe

0 Karma

ravir_jbp
Explorer

 

 

Hi gcusello,

 

THank you for prompt response. That worked for me. I have antoher doubt and I was trying to get the C: D and E drive value into table but I am getting blank results. 

index=perfmon host=XXXXXX sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" | dedup counter | table host counter C:  E:| stats values(host), values(counter), values(C:), values(D:), values(E:)

 

Results I am getting here: I need to get the Value there in C D E

 


20 Per Page
Format
Preview
host	Space	                   C:	  D:	                 E:
XXXXXXX	Free Megabytes	 	 	 
XXXXXXX	% Free Space	 	 	 

 

0 Karma

ravir_jbp
Explorer
Hi, can you please help me with this solution as well. thank you
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...