Forum Discussion

Rajinder Rahul's avatar
Rajinder Rahul
Copper Contributor
Feb 17, 2018
Solved

Help with Disk query in Log Analytics

Hi   I was wondering if I could get some help with Log analytics. New to this so bear with me.   I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've ...
azure monitor
Query Language
  • Noa Kuperberg's avatar
    Noa Kuperberg
    Feb 18, 2018

    Hi Rajinder Rahul,

     

    Your question is very popular, indeed many times users want to get the latest report of a computer performance counter (such as free space). Note that the overall size of the disk is not reported AFAIK but the free percent of it and free MB are.

     

    First, I highly recommend to start with the table name (Perf), to avoid unneeded search of the entire DB.

     

    To get the latest report I suggest using "arg_max", which would be more accurate than "summarize min". "arg_max" is intended exactly to return the the record that has a maximum value, in this case the record with the maximum TimeGenerated (meaning it is the latest record found). For example:

    Perf
| where TimeGenerated > ago(1d)
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| summarize (TimeGenerated, Free_Space_Percent)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and InstanceName contains ":"

     

    The above example will returns the maximum free space percent for each computer and instance:

    The same can be done for free MB.

     

    To combine the results of both calculations I recommend using "Join", which lets you match results by computer and instance names. See the join example here.

    The results look like this:

    HTH,

    Noa

     
Prince0103's avatar
Prince0103
Copper Contributor
Jan 21, 2020

Hello Noa Kuperberg,,

 

I am searching for a KQL query Disk read bytes and Disk writes bytes which not available in counter name. How can I get these counter name and results

CliveWatson's avatar
CliveWatson
Silver Contributor
Jan 22, 2020

Prince0103

 

If you are capturing the counters - please check here:

 

 

Then you can query them (after the data is available in the Workspace).  

// Disk usage
Perf
| where TimeGenerated > ago(1h)
| where CounterName == "Disk Read Bytes/sec"  or CounterName == "Disk Write Bytes/sec" 
| project TimeGenerated, CounterName, CounterValue 
| summarize avg(CounterValue) by CounterName, bin(TimeGenerated, 1m)
| render timechart

Go to Log Analytics and Run Query

  • Prince0103's avatar
    Prince0103
    Copper Contributor
    Jan 22, 2020

    Hello CliveWatson,

     

    Thank you for answer it works for me. 

     

    Could you please suggest me the KQL queries for Network In Total and Network Out Total, because I am getting two objects name here(Network Interface and Network Adapter) which Objects I should use and what couter name I should use for Network In/Out.

     

    Kindly suggest me on this.

    • CliveWatson's avatar
      CliveWatson
      Silver Contributor
      Jan 22, 2020

      Prince0103 

       

      A Network Adapter is typically a piece of hardware (or virtual hardware).  The network interface is built in software. Usually, there is one network interface per adapter.

       

      How are you configured and what do you want to show?  Just insert the counternames that make sense to you to the previous example.

       

       

Resources