Forum Discussion

Hairy_Zeus's avatar
Hairy_Zeus
Copper Contributor
Jul 28, 2021

Assistance with Log Analytics Disk Query

Good Morning all,

 

I'm hoping to get some help with log analytics, I'm trying to write a simple query that returns the percentage of used disk space for both Windows and Linux VMs.

 

For Linux VMs the following works great and display exactly what I am looking for.

But if I change "Logical Disk" to "LogicalDisk" for Windows VMs it doesn't return any records

I can query free disk space on Windows VMs using this code from Noa Kuperberg but I'm looking for used space, not free space.

 

Perf
| where ObjectName == "LogicalDisk" or // the object name used in Windows records
ObjectName == "Logical Disk" // the object name used in Linux records
| where CounterName == "Free Megabytes"
| summarize avg_free_disk_MB=avg(CounterValue) by Computer, InstanceName

 

Any help much appreciated.

 

Thanks!

 

  • Hairy_Zeus

     

    Maybe this?

     

    Perf
    //| where Computer !startswith "A" //or Computer startswith "J" //testing
    | where TimeGenerated > startofday(ago(1d))
    | where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes")
    | where InstanceName !contains 'Harddisk' and InstanceName != '_Total'
    | summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ), 
                Linux  =avgif(CounterValue, CounterName == "% Used Space"), 
                MbFree =avgif(CounterValue, CounterName == "Free Megabytes"),
                arg_max(TimeGenerated, Computer) by Computer, InstanceName 
    | extend PctFree = iif(isnan(PctFree),Linux,PctFree)
    | project-away Linux, Computer1
    | project TotalSizeGB=round(MbFree*100/PctFree/1024,0), 
                round(PctFree,2),
                round(MbFree,2), 
                Computer, 
                InstanceName
    | summarize FreePCT=avg(PctFree) by Computer,
                InstanceName,
                TotalSizeGB,
                FreeGB = round(MbFree / 1024,2)
    | sort by Computer asc, InstanceName asc
    | project Computer, InstanceName, TotalSizeGB, FreeGB,  GBinUse = TotalSizeGB - FreeGB, FreePCT

     

  • Hairy_Zeus You need two Perf counters, this is from a few years ago, so could be improved on I think, but it works or at least can give you an idea.

     

    //
    // combine % free and Free space to get volume size as well as %free
    //
    
    Perf
    | where Computer startswith "RDS" 
    // add other computers here
    | where CounterName == "Free Megabytes"
    | where TimeGenerated > startofday(ago(1d))
    | where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
    | summarize MbFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
    | summarize arg_max(TimeGenerated, *) by Computer,InstanceName
    |join kind= inner
    (
        Perf
        | where CounterName == "% Free Space"
        | where TimeGenerated > startofday(ago(1d))
        | where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
        | summarize PctFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
        | summarize arg_max(TimeGenerated, *) by Computer,InstanceName
    )
    on Computer , InstanceName 
    | project   TotalSizeGB=round(MbFree*100/PctFree/1024,0), 
                round(PctFree,2),
                round(MbFree,2), 
                Computer, 
                InstanceName
    | summarize FreePCT=avg(PctFree) by Computer,
                DriveLetter = InstanceName,
                TotalSizeGB,
                FreeGB = round(MbFree / 1024,2)
    | sort by DriveLetter  asc
    | project Computer, DriveLetter, TotalSizeGB, FreeGB, FreePCT, Inuse = TotalSizeGB - FreeGB

     

    • Hairy_Zeus's avatar
      Hairy_Zeus
      Copper Contributor

      CliveWatson thanks for the reply, much appreciated. This is perfect for Windows servers but it doesn't look like it's pulling any data for Linux servers, any idea how I can pull the same data in the same query for Linux servers also?

      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft

        Hairy_Zeus

         

        Maybe this?

         

        Perf
        //| where Computer !startswith "A" //or Computer startswith "J" //testing
        | where TimeGenerated > startofday(ago(1d))
        | where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes")
        | where InstanceName !contains 'Harddisk' and InstanceName != '_Total'
        | summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ), 
                    Linux  =avgif(CounterValue, CounterName == "% Used Space"), 
                    MbFree =avgif(CounterValue, CounterName == "Free Megabytes"),
                    arg_max(TimeGenerated, Computer) by Computer, InstanceName 
        | extend PctFree = iif(isnan(PctFree),Linux,PctFree)
        | project-away Linux, Computer1
        | project TotalSizeGB=round(MbFree*100/PctFree/1024,0), 
                    round(PctFree,2),
                    round(MbFree,2), 
                    Computer, 
                    InstanceName
        | summarize FreePCT=avg(PctFree) by Computer,
                    InstanceName,
                    TotalSizeGB,
                    FreeGB = round(MbFree / 1024,2)
        | sort by Computer asc, InstanceName asc
        | project Computer, InstanceName, TotalSizeGB, FreeGB,  GBinUse = TotalSizeGB - FreeGB, FreePCT

         

Resources