Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Finding change in disk space
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finding change in disk space
Hello,
Disk space on a series of servers is monitored every 10 minutes. What I want to do is run a search that says effectively "Change is Disk Space = Max(DiskSpaceToday) - Max(DiskSpace3MonthsAgo)" for each disk drive and sort by greatest change.
I am having trouble understanding a way to obtain the two different numbers & subtract in a single search.
Thanks for any help.
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks very much for both of your suggestions. This is a little outside the realm of the searches I am used to so I am having trouble wrapping my head around it a bit.
Here are the two searches that give me the data that I want.
source="WMI:FreeDiskSpace" earliest=-3mon@d latest=-3mon@d+d | stats Max(FreeMegabytes) as FreeMBs by host,Name | eval FreeGBs=FreeMBs/1024 | table host, Name, FreeGBs
source="WMI:FreeDiskSpace" earliest=-d@d latest=@d | stats Max(FreeMegabytes) as FreeMBs by host,Name | eval FreeGBs=FreeMBs/1024 | table host, Name, FreeGBs
So what I am hoping for is to add two panels (getting ahead of myself) to my dashboard, the first which is a table showing host, Name (which is the drive letter), Change.
The second would be a bar chart grouped by server & disk (combined with something like: "eval Drive=host+"-"+Name "?) with the 3 months ago disk space as one bar, the current as a second. (I can tackle this one as a separate item, but just trying to pain the picture of what I am trying to accomplish).
Thanks for your help,
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a look at the syntax of one of the charts in the deployment monitor app for index throughput
and modified it to show disk usage now compared to the same time a week ago.
Obviously things such as index, sourcetype and counter may be different or not relevant to your install. But hopefully you should get the idea.
index="perfmon" counter="Free Megabytes" instance="C:" host="my_TargetServer" | timechart partial=f span=30 min(Value) as "Free Space" | eval marker = "Today" | eval _time = _time+1800 | append [search index="perfmon" counter="Free Megabytes" instance="C:" host="my_TargetServer" earliest=-7d@d-30m latest=-6d@d-30m | timechart span=30m min(Value) as "Free Space" | eval marker="Last Week" | eval _time = _time+86400*7+1800] | timechart min(Free Space) by marker
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way I can just get it to poll just the free-space on the disk drive for the server in GB?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
earliest=-1d@d latest=@d sourcetype=diskspace
| stats max(DiskSpace) as DiskSpace by server
| eval t="today"
| append [ search earliest=-3m-1d@d latest=-3m@d sourcetype=diskspace
| stats max(DiskSpace) as DiskSpace by server
| eval t="threemonthsago" ]
| chart max(DiskSpace) by server,t
| eval changeinspace = today-threemonthsago
| sort - changeinspace
You can of course adjust the time ranges to suit the appropriate measurement period.
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
