Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Reporting on GB Used on a disk instead of GB F...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reporting on GB Used on a disk instead of GB Free
I’m looking for a solution to report and chart the amount of disk space in use on a user defined set of Windows hosts. Right now I’m able to get both free space and % free space (through the metrics "LogicalDisk.Free_Megabytes" and "LogicalDisk.%_Free_Space") but the disk used is not reported. Is there a way to retrieve / derive the information based on calculations like 1) GB_free = (MB free value/1024 2) GB_total = ((GB_free*100)/(percentage free value)) and then 3) GB_used = GB_total-GB_free. Since the disk sizes vary between hosts, I figure using these performance values direct saves me from keeping a separate dataset of drive sizes, and the related need to keep that updated. Ultimately the reporting could be a report by time and by host, or a timechart showing disk usage for multiple hosts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @m_collett,
I think it is because LogicalDisk fields are not in the output of your search. Please try below;
| mstats avg(_value) as value prestats=true WHERE index="em_metrics" AND metric_name IN ("LogicalDisk.Free_Megabytes" "LogicalDisk.%_Free_Space") AND instance="D:" $mstats_span$ host IN ($tok_machine$) by host metric_name
| eval FreeMB = if(metric_name=="LogicalDisk.Free_Megabytes",mvzip(host,value),null())
| eval FreeMB = if(isnotnull(FreeMB),mvzip(FreeMB,value),null())
| eval FreeSpace = if(metric_name=="LogicalDisk.%_Free_Space",mvzip(host,value),null())
| eval FreeSpace = if(isnotnull(FreeSpace),mvzip(FreeSpace,value),null())
| stats list(FreeMB) AS FreeMB, list(FreeSpace) AS FreeSpace by host _time
| makemv FreeMB delim=","
| makemv FreeSpace delim=","
| eval FreeMB = mvindex(FreeMB,1)
| eval FreeSpace = mvindex(FreeSpace,1)
| eval GB_Total=round((FreeMB*100/(100-FreeSpace))/1024,2)
| timechart $mstats_span$ max(GB_Total) as GB_Total by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After trying your new suggestion, I now get ""No results found." (and no errors). I'm going to try some other ideas, but any further comments are more than welcome.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi scelikok,
Thanks for the quick reply. When I try the eval string I get an "Error in eval command: Type checking failed. (*) only takes numbers" response.
Maybe the issue in my test is the prior search setup. My query starts as:
| mstats avg(_value) prestats=true WHERE "index"="em_metrics" AND metric_name IN ("LogicalDisk.Free_Megabytes" "LogicalDisk.%_Free_Space") AND "instance"="D:" $mstats_span$ host IN ($tok_machine$) by host
where $mstats_span$ and "tok_machine$ are from a time picker and drop down, and my typical output syntax looks like:
| timechart avg(_value)) as "Avg" agg=max limit=40 useother=false $timechart_span$ by host
Suggestions / comments more than welcome (since I'm a new member/user).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @m_collett,
Please try this;
| eval GB_Total=("LogicalDisk.Free_Megabytes"*100/(100-"LogicalDisk.%_Free_Space"))/1024
| timechart max(GB_Total) as GB_Total by host
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
