Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WMI:FreeDiskSpace returns information about the CD-ROM drive on the server

usup_rajbahak
Path Finder
‎09-05-2012 02:06 PM

I am using the following wmi query to gather free disk space info on a Windows 2008 R2 server. The problem I have is that the query seems to be sending information not only of the local disk on the server but also of the CD-ROM drive installed on the server.

[WMI:FreeDiskSpace]
interval = 600
wql = select Name, FreeSpace from Win32_LogicalDisk
index = default
disabled = 0

Here's the data the universal forwarder on the server is sending to Splunk, which I think is the data for the CD-ROM drive. Notice the NULL value for the FreeSpace parameter?

20120905135639.531544
FreeSpace=NULL
Name=D:
wmi_type=FreeDiskSpace
host=paul Options| sourcetype=WMI:FreeDiskSpace Options| source=WMI:FreeDiskSpace Options

How do I get the universal forwarder send the free space information data only for the actual disk drives and not the cd-rom drive?

Thanks a lot in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎09-05-2012 02:12 PM

You could always add a where to the end of your query, something like;

Where Name = 'C:' OR where Name = 'E:' etc, you may need to use C:\ depending on your system

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎09-05-2012 02:12 PM

You could always add a where to the end of your query, something like;

Where Name = 'C:' OR where Name = 'E:' etc, you may need to use C:\ depending on your system

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎09-05-2012 05:09 PM

Sorry, it wasn't very clear, the whole statement from where to 'E:' is to allow for two Names. The OR is part of the query 🙂

0 Karma
Reply
Solved! Jump to solution

usup_rajbahak
Path Finder
‎09-05-2012 02:42 PM

Thanks for your prompt reply Drainy. It's working for me now :-).

But then, what if I have two logical drives?

will "Where Name = 'C:' and 'the next logical drive:'" work?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...