All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the missing eventtype hostmon_windows in Splunk to generate the disk usage report for our host?

kkossery
Communicator
‎04-03-2015 09:03 AM

I wanted a disk report of my Windows systems and ran the following search,

eventtype=hostmon_windows Type=Disk host="*" FileSystem="*" DriveType="*" | dedup host, Name | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) | eval FreeSpaceGB=round(FreeSpaceKB/1024/1024) | search FreeSpacePct="*" TotalSpaceGB="*" | dedup host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | table host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct

The search doesn't give any result. I checked if the eventtype exists by just putting,

eventtype=hostmon_windows

and this fails as well which means the eventtype doesn't exist in Splunk. How can I make sure this does and get Splunk to generate the disk usage report of our hosts.

Reply
1 Solution
Solved! Jump to solution
Solution

jbouch03
Path Finder
‎04-03-2015 09:21 AM

It's packaged as part of Splunk_TA_windows. Did you load the TA correctly, and add the stanza to the local/inputs.conf file in Splunk_TA_windows?

View solution in original post

Reply
Solved! Jump to solution
Solution

jbouch03
Path Finder
‎04-03-2015 09:21 AM

It's packaged as part of Splunk_TA_windows. Did you load the TA correctly, and add the stanza to the local/inputs.conf file in Splunk_TA_windows?

Reply
Solved! Jump to solution

kkossery
Communicator
‎04-03-2015 09:26 AM

what is the block of code that has to be added to inputs.conf.
need to verify this

0 Karma
Reply
Solved! Jump to solution

jbouch03
Path Finder
‎04-03-2015 09:33 AM

It looks like it comes from any stanza starting with [WinHostMon://]. I use [WinHostMon://disk] [WinHostMon://computer] and [WinHostMon://service] to create the eventtype. However, your original query states that you are specifically looking for the type disk, so here is my disk stanza:
[WinHostMon://disk]
type=disk
interval=300

Reply
Solved! Jump to solution

kkossery
Communicator
‎04-03-2015 09:40 AM

Thanks! That worked.
I didn't have this entry on my inputs.conf.

0 Karma
Reply
Solved! Jump to solution

jbouch03
Path Finder
‎04-03-2015 09:51 AM

Not a problem...remember to set your interval time accordingly. 300 is 5 minutes, but you probably won't need that much in your report. The higher the interval time the less license you will eat up during the day.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...