How to develop a search to find free disk space us...

aparnaa · ‎09-27-2016

We have added the below code in out inputs.conf file for 50+ servers
I am not sure on how to check the free space via search

Can you please guide me on this?

We want to find the total used and available disk space

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
disabled = 0
instances = _Total
interval = 120
object = LogicalDisk
index = infra_index

Thanks
aparna

JDukeSplunk · ‎09-27-2016

Here's what we use. We just tacked this into Splunk_TA_Windows /local/inputs.conf

[perfmon://CPU Load]
index = perfmon
counters = % Processor Time;% User Time
instances = _Total
interval = 60
object = Processor

[perfmon://Available Memory]
index = perfmon
counters = Available Bytes
interval = 60
object = Memory

[perfmon://Free Disk Space]
index = perfmon
counters = Free Megabytes;% Free Space
instances = C:;D:;E:;F:
# 15 minutes
interval = 900
object = LogicalDisk

[perfmon://Network Interface]
index = perfmon
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 60
object = Network Interface

[perfmon://LocalPhysicalDisk]
index = perfmon
# 5 minutes
interval = 300
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time ;Avg. Disk Bytes/Read; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Write; Avg. Disk Queue Length; Avg. Disk Read Queue Length; Avg. Disk Write Queue Length; Avg. Disk sec/Read; Avg. Disk sec/Transfer; Avg. Disk sec/Write
instances = *
disabled = 0

Then this is the search we use.

    index=perfmon sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" (instance!="HarddiskVolume*") (instance!=_Total) |dedup host
| eval FreeSpace=(Value/1024)
| eval GB=tostring(FreeSpace,"commas")
| table host instance GB 
| sort + host instance
| rename instance as "Drive Letter" GB as "GigaBytes Free"

JDukeSplunk · ‎09-27-2016

One more, to find hosts with low C:\

index=perfmon sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" (instance!="HarddiskVolume*") (instance!=_Total) instance=C: Value < 5000  |dedup host | eval FreeSpace=(Value/1024)| eval GB=tostring(FreeSpace,"commas") | table host instance GB | sort + host instance | rename instance as "Drive Letter" GB as "GigaBytes Free"

somesoni2 · ‎09-27-2016

Not sure if the perfmon stanza is correct (I've never seen 'Free Disk Space' as perfom input). If it's working for you then you can search the data in Splunk using following search (a sample one)

index=infra_index sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" | dedup host | eval {counter}=value | table host Free*

Updated input name
If it's not working, I would suggest to try [perfmon://Logical Disk] instead of [perfmon://Free Disk Space]

aaraneta_splunk · ‎09-27-2016

Hello @aparnaa - I just wanted to clarify something in your question, are you referring to a specific app or add-on in Splunkbase? https://splunkbase.splunk.com

If yes, please let me know which one it is so I can make sure your post is tagged properly to try to get more visibility for you. Thanks!

aparnaa · ‎09-27-2016

I am looking to get the details via search , is it possible ?

aaraneta_splunk · ‎09-27-2016

Thanks for your reply, I will leave the tags as is.

How to develop a search to find free disk space using Splunk for Windows server?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector