Splunk Search

Free space counter for C D and E drive in table format for multiple Windows server

ravir_jbp
Explorer

Below are the event count in splunk. I am trying to create "% Free Space" for all three drive (C:, 😧 E).

03/02/2021 23:07:18.422 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=D: Value=98.36774827925271 Show all 6 lines host = YYYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM ====================== 03/02/2021 23:07:18.422 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=C: Value=43.369467322069944 Show all 6 lines host = YYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM ======================== 03/02/2021 23:07:18.949 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=E: Value=71.4197915987671 Show all 6 lines host = YYYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM =========================== 03/02/2021 23:07:18.949 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=D: Value=59.03638151425762 Show all 6 lines host = ZZZZZZZZZZ source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM

 

Below splunk script is not working as expected also need the Value field in round(currently getting decimial) Looking for Drive free space in table format for each host that I added in the script. Please help

index=perfmon host=XXXXXXX OR host=YYYYYY OR host=ZZZZZZZZ sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value |sort counter, Value| stats values(Value), values(instance), values(host) | table values(host) values(instance) values(Value) | rename values(host) as Hostname, values(instance) as drive, values(Value) as Totalfree%

Labels (1)
Tags (1)
0 Karma

ITWhisperer
Ultra Champion

In what way is it not expected?

Have the events already been split, each beginning with a timestamp?

Have the fields mentioned already been extracted?

0 Karma

ravir_jbp
Explorer

Hello ITWhisperer,

 

I am getting the results like attached as a screenshot below. I have added 5 servers but I am only seeing C, D and E frm each server also the Totalfree is not into proper table format. What I am expecting is to get C, D and E column for each server and Total free value under those C, D and E drives. screenshot.JPG

Tags (1)
0 Karma

ITWhisperer
Ultra Champion

Values in your stats command is removing duplicates - try list instead

| stats list(Value), list(instance), list(host)
0 Karma

ravir_jbp
Explorer

Hi,

I have modified the script 

index=perfmon host=XXXX OR host=YYYY OR host=ZZZZ sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value |dedup instance| sort counter, Value| stats list(Value), list(instance), list(host) | rename list(Value) as Free%, list(instance) as Drives. But this time I only see data for one server though i have added three servers. 

If you see below screenhost from the results I am only getting data for server XXX. I added multiple servers as YYY and ZZZ. Can you suggest on how to fix this. Also The free% seems to be in decimal value. How we can make it round value as well.

 

screenshot.JPG

Tags (1)
0 Karma

ITWhisperer
Ultra Champion
eval Value=round(Value,0)
0 Karma

ITWhisperer
Ultra Champion

dedup instance is finding the first event for each drive - try 

dedup instance host
0 Karma

ravir_jbp
Explorer

THank you so much !!! it worked for me... I appreciate your help 

Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!