Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Free disk space

ravir_jbp
Explorer
‎02-25-2021 06:43 AM

I am trying to get the free space in % for C,D and E drive. I have below events in splunk. 

 

02/25/2021 08:22:32.272 -0600
collection=LogicalDisk
object=LogicalDisk
counter="% Free Space"
instance=E:
Value=4284.377358490566

02/25/2021 08:20:32.264 -0600
collection=LogicalDisk
object=LogicalDisk
counter="% Free Space"
instance=D:
Value=98.32841691248771

02/25/2021 08:26:32.298 -0600
collection=LogicalDisk
object=LogicalDisk
counter="% Free Space"
instance=C:
Value=43.12314853999153

 

I am looking for the data like

server name  Drive   Free space available

xyz                    C:          20%

xyz           😧           30%

Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-25-2021 11:52 AM

Hi @ravir_jbp,

Your first sample event seems wrong, I assume it is typo.  But please try this

index=windows collection=LogicalDisk object=LogicalDisk
| stats latest(Value) as value by host instance
| eval value=round(value,0).%
| rename instance as Drive, host as "Server Name", value as "Free space available"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

ravir_jbp
Explorer
‎03-01-2021 01:26 AM

Hi scelikok,

 

I am getting below error while execting the script:

 

"Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%'. The search job has failed due to an error. You may be able view the job in the Job Inspector."

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-03-2021 10:59 AM

Sorry about I have forgotten quotes, please try below;

index=windows collection=LogicalDisk object=LogicalDisk
| stats latest(Value) as value by host instance
| eval value=round(value,0)."%"
| rename instance as Drive, host as "Server Name", value as "Free space available"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-25-2021 07:01 AM

Hi @ravir_jbp,

you should have also another info about your disks: the total space "TotalSpaceKB",

In this way you can calculate the percentage of free space.

I used the following search in a dashboard:

index=windows sourcetype=WinHostMon DriveType=fixed
| stats latest(TotalSpaceKB) AS TotalSpaceKB latest(FreeSpaceKB) AS FreeSpaceKB by host 
| eval 
     Perc=(FreeSpaceKB/TotalSpaceKB)*100,
     TotalSpaceGB=TotalSpaceKB/1024/1024, 
     FreeSpaceGB=FreeSpaceKB/1024/1024 
| sort host 
| table hostTotalSpaceGB FreeSpaceGB Perc 
| rename host AS "Server Name" Name AS "Drive" Perc AS "FreeSpace%"

that you could adapt to your needs.

Ciao.

Giuseppe

 

0 Karma
Reply

ravir_jbp
Explorer
‎03-01-2021 01:53 AM

 

Hi gcusello,

 

I did not find any thing with "TotalSpaceKB" counter. But I found below one. I tried to run 

index=perfmon host=XXXXXXXX sourcetype="Perfmon:LogicalDisk" counter="Free Megabytes" instance="C:" OR instance="D:" OR instance="E:" | dedup instance, host

 

I am getting the events but I am trying to get that in table format with total free space in GB. Currently its showing as MB. Can you help me to conver this into GB.

 

Time Event
3/1/21
3:45:51.000 AM
03/01/2021 03:45:51.126 -0600
collection=LogicalDisk
object=LogicalDisk
counter="Free Megabytes"
instance=E:
Value=57853
Collapse
host = XXXXX source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk
3/1/21
3:45:51.000 AM
03/01/2021 03:45:51.126 -0600
collection=LogicalDisk
object=LogicalDisk
counter="Free Megabytes"
instance=D:
Value=5001
Collapse
host = XXXXXXX source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk
3/1/21
3:45:51.000 AM
03/01/2021 03:45:51.126 -0600
collection=LogicalDisk
object=LogicalDisk
counter="Free Megabytes"
instance=C:
Value=57853
host = XXXXXX source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-01-2021 02:12 AM

Hi @ravir_jbp,

to convert the value from MB to GB, you have to use the eval command:

| eval FreeGigabytes=Value/1024

Ciao.

Giuseppe

0 Karma
Reply

ravir_jbp
Explorer
‎03-01-2021 03:57 AM

 

 

Hi gcusello,

 

THank you for prompt response. That worked for me. I have antoher doubt and I was trying to get the C: D and E drive value into table but I am getting blank results. 

index=perfmon host=XXXXXX sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" | dedup counter | table host counter C:  E:| stats values(host), values(counter), values(C:), values(D:), values(E:)

 

Results I am getting here: I need to get the Value there in C D E

 


20 Per Page
Format
Preview
host	Space	                   C:	  D:	                 E:
XXXXXXX	Free Megabytes	 	 	 
XXXXXXX	% Free Space

 

0 Karma
Reply

ravir_jbp
Explorer
‎03-02-2021 12:49 AM
Hi, can you please help me with this solution as well. thank you
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...