Solved: Disk Space Free over time - Multiple instances, mu...

Seenon01 · ‎07-13-2017

I am working on a chart that would show all servers with each of their hard drives mapping their drive space over a time period. I would like to get this into a trellis charting where each trellis show the server and each line represents the space free over time.

I keep running into problems with this as I can only manage to get a average of the disk space free into each report on each drive.
example:
Server1
Drives C;D;E;F;Y

Server2
Drives C;F;Y;Z

Server3
Drive B;C;F;Y;Z

My query below gives me all the information I want except that it will not map the drivespace over time - hoping for some help.

sourcetype="perfmon:logicaldisk" |bucket _time span=10m
| chart avg(Value) over instance by host limit=0 | rename instance as drive

Seenon01 · ‎07-18-2017

I have pretty much solved my issue - unless someone can figure out a way to get this to be a bit more smooth - This basically seperates host/drive by its own field - not optimal but it will work for the time being.

source="perfmon:logicaldisk" OR source="perfmon:sqlserverhost:logicaldisk" AND counter = "Free Megabytes" |bucket _time span=1d | eval HostDrive = host . ":" . instance |chart last(Value) over _time by HostDrive where count in top100

View solution in original post

Seenon01 · ‎07-18-2017

I have pretty much solved my issue - unless someone can figure out a way to get this to be a bit more smooth - This basically seperates host/drive by its own field - not optimal but it will work for the time being.

source="perfmon:logicaldisk" OR source="perfmon:sqlserverhost:logicaldisk" AND counter = "Free Megabytes" |bucket _time span=1d | eval HostDrive = host . ":" . instance |chart last(Value) over _time by HostDrive where count in top100

Seenon01 · ‎07-18-2017

So still working on this one - would this be the purpose of a pivot ? Do not have much experience with them and I am thinking I may need to set that up in order to show the information I need in a logical way.

richgalloway · ‎07-14-2017

Try timechart.

sourcetype="perfmon:logicaldisk" | rename instance as drive | timechart span=10m min(Value) by host,drive

---
If this reply helps you, Karma would be appreciated.

Seenon01 · ‎07-14-2017

when adding drive after host timechart will not plot - timechart will does not allow multi field values, even using xyseries I cannot feed in all the information needed.

richgalloway · ‎07-14-2017

Sorry about that. Must have been too early in the morning. How about chart span=15m min(Value) over _time by host instance?

---
If this reply helps you, Karma would be appreciated.

Seenon01 · ‎07-14-2017

Same issue - cannot add another value past host.. this is my whole issue 🙂

niketn · ‎07-13-2017

You can try to switch from avg(Value) to min(Value) to minimum available disc space or last(Value) for final available disc space for each time span (10 min in your case)

sourcetype="perfmon:logicaldisk"
| chart span=10m last(Value) over instance by host limit=0 
| rename instance as drive

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Seenon01 · ‎07-14-2017

So that just changes which values I am getting for the search -- It still refuses to show me that information spanned over time due to the fact there are 4 data inputs for the charts. _time, host, instance, and value - I want Host to be the header to the field, instance to be the lines, value to be one axis and time the other..

Disk Space Free over time - Multiple instances, multiple server hosts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation