Solved: Re: WMI:FreeDiskSpace returns information about th...

usup_rajbahak · ‎09-05-2012

I am using the following wmi query to gather free disk space info on a Windows 2008 R2 server. The problem I have is that the query seems to be sending information not only of the local disk on the server but also of the CD-ROM drive installed on the server.

[WMI:FreeDiskSpace]
interval = 600
wql = select Name, FreeSpace from Win32_LogicalDisk
index = default
disabled = 0

Here's the data the universal forwarder on the server is sending to Splunk, which I think is the data for the CD-ROM drive. Notice the NULL value for the FreeSpace parameter?

20120905135639.531544
FreeSpace=NULL
Name=D:
wmi_type=FreeDiskSpace
host=paul Options| sourcetype=WMI:FreeDiskSpace Options| source=WMI:FreeDiskSpace Options

How do I get the universal forwarder send the free space information data only for the actual disk drives and not the cd-rom drive?

Thanks a lot in advance.

Drainy · ‎09-05-2012

You could always add a where to the end of your query, something like;

Where Name = 'C:' OR where Name = 'E:' etc, you may need to use C:\ depending on your system

View solution in original post

Drainy · ‎09-05-2012

You could always add a where to the end of your query, something like;

Where Name = 'C:' OR where Name = 'E:' etc, you may need to use C:\ depending on your system

Drainy · ‎09-05-2012

Sorry, it wasn't very clear, the whole statement from where to 'E:' is to allow for two Names. The OR is part of the query 🙂

usup_rajbahak · ‎09-05-2012

Thanks for your prompt reply Drainy. It's working for me now :-).

But then, what if I have two logical drives?

will "Where Name = 'C:' and 'the next logical drive:'" work?

WMI:FreeDiskSpace returns information about the CD-ROM drive on the server

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?