Forum Discussion

Arslan11's avatar
Arslan11
Brass Contributor
Jun 10, 2020

Azure monitoring Kusto query

Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and Computer != "net-fs3.networkhg.org.uk" and Computer != "NET-FS1.networkhg.org.uk" and Computer != "NET-SQL3.networkhg.org.uk" and Computer != "NET-EDMLIVEDB1.networkhg.org.uk" and Computer != "NET-EDM_KOFAX1.networkhg.org.uk"
| summarize Free_Space = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) == 2 and InstanceName contains ":" and Computer != "NET-REPAIR2.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-02.networkhg.org.uk" and InstanceName !contains ":E"

where Free_Space < 15 and Free_Space > 10

 

I  need assistance with the query above, and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E" - the query doesn't output any drive for that NH-E2016 , even there is one drive with 11%, c drive, it completely avoids the server.

 

How can I amend this query where I wanted that server to avoid E drive but monitor other drives with specified percentage.  

  • -Akos-'s avatar
    -Akos-
    Brass Contributor

    Arslan11 You put Computer != "NH-E2016-01.networkhg.org.uk" which would avoid this computer completely no matter what you put behind it, I think.

     

    Also, you can create a group in log analytics (go to saved searches, there you can create a search as a group). Eg this is one group I have for servers that I want Critical patches to run upon in another group called EuropeServers:

     

    Heartbeat

    | where Computer !in (EuropeNonCriticalPatch) and Computer in (EuropeServers)
    | distinct Computer

     

    And in the EuropeNonCriticalPatch I have things like:

     

    search "Heartbeat"
    | where (Computer == "computerA" or Computer == "computerB" or Computer == "computerC" or Computer == "computerD")
    | distinct Computer

     

    So you could create something similar in your case.

    • CliveWatson's avatar
      CliveWatson
      Icon for Microsoft rankMicrosoft

      -Akos- 

       

      Some other ideas, I prefer to reduce the amount of "or"'s and replace with an "in" or "!in"

      search "Heartbeat"
      | where Computer in ("computerA","computerB","computerC" ,"computerD")
      | distinct Computer

       

      or

       

      let computerList = dynamic(["computerA","computerB","computerC" ,"computerD"]);
      search "Heartbeat"
      | where Computer in (computerList)
      | distinct Computer
      

       

      FYI,
      Home - Azure -  Azure Log Analytics  (in another forum to use on this platform for KQL help)

       

      • Arslan11's avatar
        Arslan11
        Brass Contributor

        CliveWatson  thanks my question towards, how can avoid one instance name  not be monitored on a server instead of avoiding all the instance name when using the language specified below

         

        and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E"

Resources