Splunk Search
Highlighted

Disk Space Free over time - Multiple instances, multiple server hosts

Explorer

I am working on a chart that would show all servers with each of their hard drives mapping their drive space over a time period. I would like to get this into a trellis charting where each trellis show the server and each line represents the space free over time.

I keep running into problems with this as I can only manage to get a average of the disk space free into each report on each drive.
example:
Server1
Drives C;D;E;F;Y

Server2
Drives C;F;Y;Z

Server3
Drive B;C;F;Y;Z

My query below gives me all the information I want except that it will not map the drivespace over time - hoping for some help.

sourcetype="perfmon:logicaldisk" |bucket _time span=10m
| chart avg(Value) over instance by host limit=0 | rename instance as drive

0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

Legend

You can try to switch from avg(Value) to min(Value) to minimum available disc space or last(Value) for final available disc space for each time span (10 min in your case)

sourcetype="perfmon:logicaldisk"
| chart span=10m last(Value) over instance by host limit=0 
| rename instance as drive



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

Explorer

So that just changes which values I am getting for the search -- It still refuses to show me that information spanned over time due to the fact there are 4 data inputs for the charts. _time, host, instance, and value - I want Host to be the header to the field, instance to be the lines, value to be one axis and time the other..

0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

SplunkTrust
SplunkTrust

Try timechart.

sourcetype="perfmon:logicaldisk" | rename instance as drive | timechart span=10m min(Value) by host,drive
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

Explorer

when adding drive after host timechart will not plot - timechart will does not allow multi field values, even using xyseries I cannot feed in all the information needed.

0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

SplunkTrust
SplunkTrust

Sorry about that. Must have been too early in the morning. How about chart span=15m min(Value) over _time by host instance?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

Explorer

Same issue - cannot add another value past host.. this is my whole issue 🙂

0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

Explorer

So still working on this one - would this be the purpose of a pivot ? Do not have much experience with them and I am thinking I may need to set that up in order to show the information I need in a logical way.

0 Karma
Highlighted

Re: Disk Space Free over time - Multiple instances, multiple server hosts

Explorer

I have pretty much solved my issue - unless someone can figure out a way to get this to be a bit more smooth - This basically seperates host/drive by its own field - not optimal but it will work for the time being.

source="perfmon:logicaldisk" OR source="perfmon:sqlserverhost:logicaldisk" AND counter = "Free Megabytes" |bucket _time span=1d | eval HostDrive = host . ":" . instance |chart last(Value) over _time by HostDrive where count in top100

View solution in original post

0 Karma