- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The answer to this is probably so easy that I can't see it, but I am collecting disk info from my servers and creating alert when space is less than 1gb. The problem is that I have multiple drives in servers and each has different size, here is my query: basically if the size is less than 1 GB in either c or d drive send me an alert.
index="pa" host="NOC" Name="C:" OR Name="D:" FreeSpace | eval FreeSpace_in_GB = round((FreeSpace/1024/1024/1024), 2)|eval Size_in_GB = round((Size/1024/1024/1024),2)|table host,Name,Size_in_GB,FreeSpace_in_GB| dedup Name|search FreeSpace_in_GB < 1
Now I need to set this to less than %20 for each disk so it is going to be less than 14 for D drive and less than 20 for D drive.
When I add this to my search I am only getting c drive. What am I missing here?
index="pa" host="NOC" Name="C:" OR Name="D:" FreeSpace | eval FreeSpace_in_GB = round((FreeSpace/1024/1024/1024), 2)|eval Size_in_GB = round((Size/1024/1024/1024),2)|table host,Name,Size_in_GB,FreeSpace_in_GB| dedup Name|search Name="C:" FreeSpace_in_GB < 56 OR Name="D:" FreeSpace_in_GB <70
I mean I can create 2 different alerts, one for c and one for d but I am sure I should be able to accomplish this with one query,right?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've your total size and FreeSpace available, so you can just compare the %difference in your where clause. This way you don't have to hard code any size thresholds.
index="pa" host="NOC" Name="C:" OR Name="D:" FreeSpace | eval FreeSpace_in_GB = round((FreeSpace/1024/1024/1024), 2)|eval Size_in_GB = round((Size/1024/1024/1024),2)|table host,Name,Size_in_GB,FreeSpace_in_GB | eval FreeSpacePercent=(FreeSpace_in_GB*100/Size_in_GB) | where FreeSpacePercent<20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've your total size and FreeSpace available, so you can just compare the %difference in your where clause. This way you don't have to hard code any size thresholds.
index="pa" host="NOC" Name="C:" OR Name="D:" FreeSpace | eval FreeSpace_in_GB = round((FreeSpace/1024/1024/1024), 2)|eval Size_in_GB = round((Size/1024/1024/1024),2)|table host,Name,Size_in_GB,FreeSpace_in_GB | eval FreeSpacePercent=(FreeSpace_in_GB*100/Size_in_GB) | where FreeSpacePercent<20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running your command i get "No results found"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just to make sure i changed it to <90 so i could get results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run it without where clause and see of all fields have values? May be post the output here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've changed the order in the query and now it seems to be working.i will test it thanks
FreeSpace | eval FreeSpace_in_GB = round((FreeSpace/1024/1024/1024), 2)|eval Size_in_GB = round((Size/1024/1024/1024),2)|eval freepercent = (FreeSpace_in_GB*100/Size_in_GB)|dedup Name|search freepercent < 94|table host,Name,Size_in_GB,FreeSpace_in_GB
i can also get results using where instead of search
