Below are the event count in splunk. I am trying to create "% Free Space" for all three drive (C:, 😧 E).
03/02/2021 23:07:18.422 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=D: Value=98.36774827925271 Show all 6 lines host = YYYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM ====================== 03/02/2021 23:07:18.422 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=C: Value=43.369467322069944 Show all 6 lines host = YYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM ======================== 03/02/2021 23:07:18.949 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=E: Value=71.4197915987671 Show all 6 lines host = YYYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM =========================== 03/02/2021 23:07:18.949 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=D: Value=59.03638151425762 Show all 6 lines host = ZZZZZZZZZZ source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM
Below splunk script is not working as expected also need the Value field in round(currently getting decimial) Looking for Drive free space in table format for each host that I added in the script. Please help
index=perfmon host=XXXXXXX OR host=YYYYYY OR host=ZZZZZZZZ sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value |sort counter, Value| stats values(Value), values(instance), values(host) | table values(host) values(instance) values(Value) | rename values(host) as Hostname, values(instance) as drive, values(Value) as Totalfree%
In what way is it not expected?
Have the events already been split, each beginning with a timestamp?
Have the fields mentioned already been extracted?
Hello ITWhisperer,
I am getting the results like attached as a screenshot below. I have added 5 servers but I am only seeing C, D and E frm each server also the Totalfree is not into proper table format. What I am expecting is to get C, D and E column for each server and Total free value under those C, D and E drives.
Values in your stats command is removing duplicates - try list instead
| stats list(Value), list(instance), list(host)
Hi,
I have modified the script
index=perfmon host=XXXX OR host=YYYY OR host=ZZZZ sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value |dedup instance| sort counter, Value| stats list(Value), list(instance), list(host) | rename list(Value) as Free%, list(instance) as Drives. But this time I only see data for one server though i have added three servers.
If you see below screenhost from the results I am only getting data for server XXX. I added multiple servers as YYY and ZZZ. Can you suggest on how to fix this. Also The free% seems to be in decimal value. How we can make it round value as well.
eval Value=round(Value,0)
dedup instance is finding the first event for each drive - try
dedup instance host