I am using below to show total available disk in a single panel
<single> <search> <query>index=abc source=disk host=$host$ earliest=-10m@m | eval total = (TotalSpaceKB/(1024*1024))| stats avg(total)|rename avg(total) AS total</query> </search> <option name="height">30</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="underLabel">Total Disk in GB</option> <option name="showSparkline">0</option> <option name="showTrendIndicator">0</option> </single>
I can see result in the panel it shows 250 GB, now when I actually check total disk space on that machine it is 237 GB. Not sure why Splunk shows 13 GB extra. This machine only has one C drive. To collect disc data I am using
[WinHostMon://Disk] interval = 600 disabled = 0 type = Disk index = abc
Can anyone suggest what i am doing wrong here?
probably it's wrong your calculation of GB:
| eval total = TotalSpaceKB/1000000
you should use
| eval total = TotalSpaceKB/1024/1024
@vikas_gopal - Did cusello's answer help solve your question? If so, please don't forget to click "Accept" below his answer to resolve this post. Thank you.
Since you are getting performance counter for your disc utilization, should n't you always be trying to read only the single latest event? Assuming your inbound data arrives every 10 minutes.
index=abc source=disk host=$host$ earliest=-10m@m | head 1 | eval totalGB = round(TotalSpaceKB/(1024*1024),0)| stats values(totalGB) as totalGB