Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Finding change in disk space

kholleran
Communicator
‎01-26-2012 12:35 PM

Hello,

Disk space on a series of servers is monitored every 10 minutes. What I want to do is run a search that says effectively "Change is Disk Space = Max(DiskSpaceToday) - Max(DiskSpace3MonthsAgo)" for each disk drive and sort by greatest change.

I am having trouble understanding a way to obtain the two different numbers & subtract in a single search.

Thanks for any help.

Kevin

Tags (1)
0 Karma
Reply

kholleran
Communicator
‎01-27-2012 08:26 AM

Thanks very much for both of your suggestions. This is a little outside the realm of the searches I am used to so I am having trouble wrapping my head around it a bit.

Here are the two searches that give me the data that I want.

source="WMI:FreeDiskSpace" earliest=-3mon@d latest=-3mon@d+d | stats Max(FreeMegabytes) as FreeMBs by host,Name | eval FreeGBs=FreeMBs/1024 | table host, Name, FreeGBs

source="WMI:FreeDiskSpace" earliest=-d@d latest=@d | stats Max(FreeMegabytes) as FreeMBs by host,Name | eval FreeGBs=FreeMBs/1024 | table host, Name, FreeGBs

So what I am hoping for is to add two panels (getting ahead of myself) to my dashboard, the first which is a table showing host, Name (which is the drive letter), Change.

The second would be a bar chart grouped by server & disk (combined with something like: "eval Drive=host+"-"+Name "?) with the 3 months ago disk space as one bar, the current as a second. (I can tackle this one as a separate item, but just trying to pain the picture of what I am trying to accomplish).

Thanks for your help,

Kevin

0 Karma
Reply

Conradj
Path Finder
‎01-26-2012 03:10 PM

I had a look at the syntax of one of the charts in the deployment monitor app for index throughput
and modified it to show disk usage now compared to the same time a week ago.

Obviously things such as index, sourcetype and counter may be different or not relevant to your install. But hopefully you should get the idea.

index="perfmon" counter="Free Megabytes" instance="C:" host="my_TargetServer" | timechart partial=f span=30  min(Value) as "Free Space" | eval marker = "Today" | eval _time = _time+1800 | append [search index="perfmon" counter="Free Megabytes" instance="C:" host="my_TargetServer" earliest=-7d@d-30m latest=-6d@d-30m | timechart span=30m min(Value) as "Free Space" | eval marker="Last Week" | eval _time = _time+86400*7+1800] | timechart min(Free Space) by marker
0 Karma
Reply

bidahor13
Path Finder
‎07-10-2015 05:21 PM

Is there a way I can just get it to poll just the free-space on the disk drive for the server in GB?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-26-2012 03:01 PM 
earliest=-1d@d latest=@d sourcetype=diskspace 
| stats max(DiskSpace) as DiskSpace by server 
| eval t="today"
| append [ search earliest=-3m-1d@d latest=-3m@d sourcetype=diskspace 
           | stats max(DiskSpace) as DiskSpace by server
           | eval t="threemonthsago" ]
| chart max(DiskSpace) by server,t
| eval changeinspace = today-threemonthsago
| sort - changeinspace

You can of course adjust the time ranges to suit the appropriate measurement period.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...