Forum Discussion
Hairy_Zeus
Jul 28, 2021Copper Contributor
Assistance with Log Analytics Disk Query
Good Morning all, I'm hoping to get some help with log analytics, I'm trying to write a simple query that returns the percentage of used disk space for both Windows and Linux VMs. For Linux V...
- Jul 29, 2021
Maybe this?
Perf //| where Computer !startswith "A" //or Computer startswith "J" //testing | where TimeGenerated > startofday(ago(1d)) | where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes") | where InstanceName !contains 'Harddisk' and InstanceName != '_Total' | summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ), Linux =avgif(CounterValue, CounterName == "% Used Space"), MbFree =avgif(CounterValue, CounterName == "Free Megabytes"), arg_max(TimeGenerated, Computer) by Computer, InstanceName | extend PctFree = iif(isnan(PctFree),Linux,PctFree) | project-away Linux, Computer1 | project TotalSizeGB=round(MbFree*100/PctFree/1024,0), round(PctFree,2), round(MbFree,2), Computer, InstanceName | summarize FreePCT=avg(PctFree) by Computer, InstanceName, TotalSizeGB, FreeGB = round(MbFree / 1024,2) | sort by Computer asc, InstanceName asc | project Computer, InstanceName, TotalSizeGB, FreeGB, GBinUse = TotalSizeGB - FreeGB, FreePCT
CliveWatson
Microsoft
Jul 29, 2021Hairy_Zeus You need two Perf counters, this is from a few years ago, so could be improved on I think, but it works or at least can give you an idea.
//
// combine % free and Free space to get volume size as well as %free
//
Perf
| where Computer startswith "RDS"
// add other computers here
| where CounterName == "Free Megabytes"
| where TimeGenerated > startofday(ago(1d))
| where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
| summarize MbFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
| summarize arg_max(TimeGenerated, *) by Computer,InstanceName
|join kind= inner
(
Perf
| where CounterName == "% Free Space"
| where TimeGenerated > startofday(ago(1d))
| where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
| summarize PctFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
| summarize arg_max(TimeGenerated, *) by Computer,InstanceName
)
on Computer , InstanceName
| project TotalSizeGB=round(MbFree*100/PctFree/1024,0),
round(PctFree,2),
round(MbFree,2),
Computer,
InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
DriveLetter = InstanceName,
TotalSizeGB,
FreeGB = round(MbFree / 1024,2)
| sort by DriveLetter asc
| project Computer, DriveLetter, TotalSizeGB, FreeGB, FreePCT, Inuse = TotalSizeGB - FreeGB
Hairy_Zeus
Jul 29, 2021Copper Contributor
CliveWatson thanks for the reply, much appreciated. This is perfect for Windows servers but it doesn't look like it's pulling any data for Linux servers, any idea how I can pull the same data in the same query for Linux servers also?
- CliveWatsonJul 29, 2021
Microsoft
Maybe this?
Perf //| where Computer !startswith "A" //or Computer startswith "J" //testing | where TimeGenerated > startofday(ago(1d)) | where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes") | where InstanceName !contains 'Harddisk' and InstanceName != '_Total' | summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ), Linux =avgif(CounterValue, CounterName == "% Used Space"), MbFree =avgif(CounterValue, CounterName == "Free Megabytes"), arg_max(TimeGenerated, Computer) by Computer, InstanceName | extend PctFree = iif(isnan(PctFree),Linux,PctFree) | project-away Linux, Computer1 | project TotalSizeGB=round(MbFree*100/PctFree/1024,0), round(PctFree,2), round(MbFree,2), Computer, InstanceName | summarize FreePCT=avg(PctFree) by Computer, InstanceName, TotalSizeGB, FreeGB = round(MbFree / 1024,2) | sort by Computer asc, InstanceName asc | project Computer, InstanceName, TotalSizeGB, FreeGB, GBinUse = TotalSizeGB - FreeGB, FreePCT
- Hairy_ZeusJul 29, 2021Copper ContributorThis is exactly what I was looking for, you're a life saver. Thank you very much!