Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate total disk size when using freediskspace collection?

edwinmae
Path Finder
‎08-08-2016 12:12 AM

I am searching for a 'search' that will give me the following information:
Disk usage (C:) in %
Total Disk size (C:)
Free Disk space (C:)

I know there is Windows App, but I would like to achieve this without that 

index = "perfmonxx" collection = FreeDiskSpace (counter="% Free Space" OR counter="Free Megabytes") instance=C: host=xx
| eval usage=(100-Value)
| eval GB=(Value/1024)
| eval size=GB*(100/(100-usage)) 
| eval usage1=(ceiling(usage))
| eval GB1=(floor(GB)) | stats max(usage1) as Usage max(size) as Total max(GB1) as Free by host

Using this, I get the usage (in %) and the available free space (in GB) correctly, but the (manual) calculation 'for total size' doesn't show me the correct result.

When I calculate it manually (using e.g. calculator) it gives me the correct result: size = 9.x * (100 / (100 - 83.x) ~ 60 GB

But the outcome in Splunk gives me a different result. I am stuck, please advise.

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-08-2016 05:26 AM

Oh dear lord forgive me for this search:

index="perfmonxxx" collection=FreeDiskSPace counter="% Free Space"  
| eval diskInfoA=mvzip(instance,Value) 
| eval diskInfoA1=mvzip(diskInfoA,counter) 
| table diskInfoA1 host instance 
| join host instance
  [
  search index="perfmonxxx" collection=FreeDiskSPace counter="Free Megabytes"
  | eval diskInfoB=mvzip(instance,Value) 
  | eval diskInfoB1=mvzip(diskInfoB,counter) 
  | table diskInfoB1 host instance 
  ]
| makemv diskInfoA1 delim=","
| makemv diskInfoB1 delim=","
| eval freePerc=mvindex(diskInfoA1,1)
| eval freeMegs=mvindex(diskInfoB1,1)
| eval usage=(ceiling(100-freePerc))
| eval GB=(floor(freeMegs/1024))
| eval totalDiskGB=(GB/(freePerc/100))
| stats max(usage) as Usage max(GB) as Free max(totalDiskGB) as diskSizeGB by host instance

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-08-2016 05:26 AM

Oh dear lord forgive me for this search:

index="perfmonxxx" collection=FreeDiskSPace counter="% Free Space"  
| eval diskInfoA=mvzip(instance,Value) 
| eval diskInfoA1=mvzip(diskInfoA,counter) 
| table diskInfoA1 host instance 
| join host instance
  [
  search index="perfmonxxx" collection=FreeDiskSPace counter="Free Megabytes"
  | eval diskInfoB=mvzip(instance,Value) 
  | eval diskInfoB1=mvzip(diskInfoB,counter) 
  | table diskInfoB1 host instance 
  ]
| makemv diskInfoA1 delim=","
| makemv diskInfoB1 delim=","
| eval freePerc=mvindex(diskInfoA1,1)
| eval freeMegs=mvindex(diskInfoB1,1)
| eval usage=(ceiling(100-freePerc))
| eval GB=(floor(freeMegs/1024))
| eval totalDiskGB=(GB/(freePerc/100))
| stats max(usage) as Usage max(GB) as Free max(totalDiskGB) as diskSizeGB by host instance

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

bdahlb
Explorer
‎05-07-2018 09:14 AM

So obviously this has been answered for a while, but I came across this today with the same question. Here is the same search but using "stats" instead of the "join":

index=perfmon host=* object="LogicalDisk" counter="% Free Space" OR counter="Free Megabytes"
| eval diskInfoA = if(counter=="% Free Space",mvzip(instance,Value),null())
| eval diskInfoA1 = if(isnotnull(diskInfoA),mvzip(diskInfoA,counter),null())
| eval diskInfoB = if(counter=="Free Megabytes",mvzip(instance,Value),null())
| eval diskInfoB1 = if(isnotnull(diskInfoB),mvzip(diskInfoB,counter),null())
| stats list(diskInfoA1) AS "diskInfoA1", list(diskInfoB1) AS "diskInfoB1" by host, instance, _time
| makemv diskInfoA1 delim=","
| makemv diskInfoB1 delim=","
| eval freePerc = mvindex(diskInfoA1,1)
| eval freeMB = mvindex(diskInfoB1,1)
| eval usage=round(100-freePerc,2)
| eval GB = round(freeMB/1024,2)
| eval totalDiskGB = GB/(freePerc/100)
| stats max(usage) AS "Disk Usage", max(GB) AS "Disk Free", max(totalDiskGB) AS "Total Disk Size (GB)" by host instance
Reply
Solved! Jump to solution

Ranazar
Path Finder
‎09-10-2018 01:29 PM

I stumbled across this post when having the same challenge. This stats-based command was really helpful - but just an FYI to future readers that neither of these searches will work if you're at 0% free space. It's not something you can fix by changing the search - it's just the inherent problem of trying to use freeMB and freePerc to figure out used or total.

It's possible that hitting 0.000...% free space is super rare - but this is still annoying to me. The problem is simply that perfmon doesn't collect used or total metrics. In my case I think I'll end up using WMI for this.

0 Karma
Reply
Solved! Jump to solution

edwinmae
Path Finder
‎08-08-2016 11:40 PM

You're forgiven as it worked for me 🙂 Thanks!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-09-2016 03:43 AM

Awesome, thanks for marking as the answer and let us know if you ever need help again!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...