Splunk Search

How to develop a search to find free disk space using Splunk for Windows server?

Path Finder

We have added the below code in out inputs.conf file for 50+ servers
I am not sure on how to check the free space via search

Can you please guide me on this?

We want to find the total used and available disk space

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
disabled = 0
instances = _Total
interval = 120
object = LogicalDisk
index = infra_index

Thanks
aparna

0 Karma

Builder

Here's what we use. We just tacked this into Splunk_TA_Windows /local/inputs.conf

[perfmon://CPU Load]
index = perfmon
counters = % Processor Time;% User Time
instances = _Total
interval = 60
object = Processor

[perfmon://Available Memory]
index = perfmon
counters = Available Bytes
interval = 60
object = Memory

[perfmon://Free Disk Space]
index = perfmon
counters = Free Megabytes;% Free Space
instances = C:;D:;E:;F:
# 15 minutes
interval = 900
object = LogicalDisk

[perfmon://Network Interface]
index = perfmon
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 60
object = Network Interface

[perfmon://LocalPhysicalDisk]
index = perfmon
# 5 minutes
interval = 300
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time ;Avg. Disk Bytes/Read; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Write; Avg. Disk Queue Length; Avg. Disk Read Queue Length; Avg. Disk Write Queue Length; Avg. Disk sec/Read; Avg. Disk sec/Transfer; Avg. Disk sec/Write
instances = *
disabled = 0

Then this is the search we use.

    index=perfmon sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" (instance!="HarddiskVolume*") (instance!=_Total) |dedup host
| eval FreeSpace=(Value/1024)
| eval GB=tostring(FreeSpace,"commas")
| table host instance GB 
| sort + host instance
| rename instance as "Drive Letter" GB as "GigaBytes Free"

Builder

One more, to find hosts with low C:\

index=perfmon sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" (instance!="HarddiskVolume*") (instance!=_Total) instance=C: Value < 5000  |dedup host | eval FreeSpace=(Value/1024)| eval GB=tostring(FreeSpace,"commas") | table host instance GB | sort + host instance | rename instance as "Drive Letter" GB as "GigaBytes Free"
0 Karma

Revered Legend

Not sure if the perfmon stanza is correct (I've never seen 'Free Disk Space' as perfom input). If it's working for you then you can search the data in Splunk using following search (a sample one)

index=infra_index sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" | dedup host | eval {counter}=value | table host Free*

Updated input name
If it's not working, I would suggest to try [perfmon://Logical Disk] instead of [perfmon://Free Disk Space]

0 Karma

Splunk Employee
Splunk Employee

Hello @aparnaa - I just wanted to clarify something in your question, are you referring to a specific app or add-on in Splunkbase? https://splunkbase.splunk.com

If yes, please let me know which one it is so I can make sure your post is tagged properly to try to get more visibility for you. Thanks!

0 Karma

Path Finder

I am looking to get the details via search , is it possible ?

0 Karma

Splunk Employee
Splunk Employee

Thanks for your reply, I will leave the tags as is.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!