Hi!

I have written a PowerShell Script to obtain Hard-Disk Informations for Local Drives and report it to Splunk.

If(Get-Command -Name 'Get-CimInstance' -ErrorAction SilentlyContinue) {
    $Drives = Get-CimInstance -Query 'SELECT * FROM Win32_LogicalDisk WHERE DriveType=3' -QueryDialect 'WQL'
} Else {
    $Drives = Get-WmiObject -Query 'SELECT * FROM Win32_LogicalDisk WHERE DriveType=3'
}

$Drives | ForEach-Object {
    $Drive = $_ | Select-Object FreeSpace,Size,FileSystem,VolumeSerialNumber,PercentFree,UsedGB,FreeGB,@{Name='DriveLetter';Expression={ $_.DeviceID }},IsSystemdrive
    $Drive.PercentFree = [Math]::Round(($Drive.FreeSpace / $Drive.Size * 100),2)
    $Drive.UsedGB = [Math]::Round((($Drive.Size - $Drive.FreeSpace) / 1GB),2) 
    $Drive.FreeGB = [Math]::Round(($Drive.FreeSpace / 1GB),2)
    If($Drive.DriveLetter -eq $env:SystemDrive) {
        $Drive.IsSystemdrive = $true
    } Else {
        $Drive.IsSystemdrive = $false
    }
    $Drive
}

This gives me  the following result in Splunk for a System  with Harddisk C and D 

FreeSpace          : 37910388835
Size               : 106847793152
FileSystem         : NTFS
VolumeSerialNumber : 64A9A098
PercentFree        : 53,54
UsedGB             : 46,23
FreeGB             : 53,28
DriveLetter        : C:
IsSystemdrive      : True
FreeSpace          : 27610488832
Size               : 268432306176
FileSystem         : NTFS
VolumeSerialNumber : E2651A32
PercentFree        : 10,29
UsedGB             : 224,28
FreeGB             : 25,71
DriveLetter        : D:
IsSystemdrive      : False

My Query skills are not the best ... 😞

How can I separate the PowerShell objects (Disk C: and D:) in a query?
For example; To monitor the system drive only?

This discussion is for learning, how to parse such PowerShell objects.
Not to use other workarounds.)

I'm also grateful if someone has tips on how to better prepare (separate) the PowerShell objects for Splunk searches.