Splunk Search

Help with Splunk query for battery status, cpu usage, disk space



Please indulge me as I am relatively new to Splunk.

I wish to create a query or report I can run on demand to provide proactive data from our client (Windows) machines, namely battery status, CPU usage, disk space usage, along those lines.

I found the below on Lantern, but, pardon my ignorance, but have no idea how i would implement this in a Splunk search.  

| mstats avg(LogicalDisk.%_Free_Space) AS "win_storage_free" WHERE index="<name of your metrics index>" host="<names of the hosts you want to check>" instance="<names of drives you want to check>" instance!="_Total" BY host, instance span=1m
| eval storage_used_percent=round(100-win_storage_free,2)
| eval host_dev=printf("%s:%s\\",host,instance)
| timechart max(storage_used_percent) AS storage_used_percent BY host_dev

Would appreciate some help and guidance.

Thank you in advance! 

Labels (2)
Tags (3)
0 Karma


This search utilizes metrics data.  Do you know if your environment is already collecting metrics data? What about the resource usage (CPU usage, etc)?

0 Karma


Hi Stefanie,

Thank you so much for your reply.

Not sure what you mean when asking if we already collect metrics data?  We use Quest's KACE for the moment but will be moving away from that product in the very near future, and I can get some of the data we are looking for there.  

I want something reliable we can use going forward.  My understanding was Splunk would query WMI on our client machines to provide the data I am looking for?

Thank you!!!


0 Karma


Ah okay that helps me out.

How many assets are you looking to collect data from? You have the option to install Splunk Forwarder on one windows machine and set it up to collect WMI data remotely from other windows machines.  But if there are a lot of assets, you also have the option to install Splunk Forwarder on every windows machine and collect WMI data that way.


Splunk does offer an add-on to automatically set up and collect Windows data. After installing the Splunk Forwarder you would install this app here https://splunkbase.splunk.com/app/742/ and then turn on which items you want it to report back to Splunk. 

To manage these configurations (WMI or add-on) Splunk can act as a deployment server which will push out your requested configurations to each forwarder. That way you don't have to make the changes on every server.


Hope this helps, let me know if I need to clarify anything.





0 Karma


Hi again Stefanie,

Really, thank you so much.

We have several thousand client machines so whichever method has the least overhead will likely be the one we go with.

i will read through the links you provided and give your suggestions a go, theoretically it sounds as though this should provide exactly the solution management is seeking.




Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...