Forum Discussion

Arslan11's avatar
Arslan11
Brass Contributor
Jun 16, 2020

Assiatnce with KQL (Disk space high alert)

I am using KQL language under log analytics workspace (Azure monitoring)

Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and Computer != "net-fs3.networkhg.org.uk" and Computer != "NET-FS1.networkhg.org.uk" and Computer != "NET-SQL3.networkhg.org.uk" and Computer != "NET-EDMLIVEDB1.networkhg.org.uk" and Computer != "NET-EDM_KOFAX1.networkhg.org.uk"
|summarize Free_Space = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) == 2 and InstanceName contains ":" and Computer != "NET-REPAIR2.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-02.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"
| where Free_Space < 10

 

Can you please help me with this  query, I want to make sure that, only one of instance of the computer is being monitored instead of all, for example

 

Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"

 

In this instance I want that computer to avoid D drive instead of all drives, like I have specified in the query for all the computers, as I want other drives to be monitored

KQL

3 Replies

  • CliveWatson's avatar
    CliveWatson
    Silver Contributor
    Jun 16, 2020

    Arslan11 

     

    Is this right?

     

    Perf
// set up filters
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" 
| where strlen(InstanceName) == 2 and InstanceName contains ":" 
// exclude ALL these named computers 
| where Computer !in ("net-fs3.networkhg.org.uk","NET-FS1.networkhg.org.uk","NET-SQL3.networkhg.org.uk",
                    "NET-EDMLIVEDB1.networkhg.org.uk","NET-EDM_KOFAX1.networkhg.org.uk")
// Show all
| summarize Free_Space = min(CounterValue) by Computer , InstanceName
// Exclude these drive / Computer combinations
// Use a "1" to denaote an exclude else "0"
| extend ComputerList = case(
                            Computer == "NET-REPAIR2.networkhg.org.uk" and InstanceName == "E:",1,
                            Computer == "NH-E2016-01.networkhg.org.uk" and InstanceName == "E:",1,
                            Computer == "NH-E2016-02.networkhg.org.uk" and InstanceName == "E:",1,   
                            Computer == "net-boxi1.networkhg.org.uk"   and InstanceName == "D:",1,
                            //else zero
                            0)
| where ComputerList !=1
| where Free_Space < 10
| project-away ComputerList

     

Resources