Forum Discussion
Rajinder Rahul
Feb 17, 2018Copper Contributor
Help with Disk query in Log Analytics
Hi
I was wondering if I could get some help with Log analytics. New to this so bear with me.
I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've ...
- Feb 18, 2018
Hi Rajinder Rahul,
Your question is very popular, indeed many times users want to get the latest report of a computer performance counter (such as free space). Note that the overall size of the disk is not reported AFAIK but the free percent of it and free MB are.
First, I highly recommend to start with the table name (Perf), to avoid unneeded search of the entire DB.
To get the latest report I suggest using "arg_max", which would be more accurate than "summarize min". "arg_max" is intended exactly to return the the record that has a maximum value, in this case the record with the maximum TimeGenerated (meaning it is the latest record found). For example:
Perf | where TimeGenerated > ago(1d) | where ObjectName == "LogicalDisk" and CounterName == "% Free Space" | summarize (TimeGenerated, Free_Space_Percent)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName | where strlen(InstanceName) ==2 and InstanceName contains ":"
The above example will returns the maximum free space percent for each computer and instance:
The same can be done for free MB.
To combine the results of both calculations I recommend using "Join", which lets you match results by computer and instance names. See the join example here.
The results look like this:
HTH,
Noa
Noa Kuperberg
Microsoft
Feb 18, 2018Hi Rajinder Rahul,
Your question is very popular, indeed many times users want to get the latest report of a computer performance counter (such as free space). Note that the overall size of the disk is not reported AFAIK but the free percent of it and free MB are.
First, I highly recommend to start with the table name (Perf), to avoid unneeded search of the entire DB.
To get the latest report I suggest using "arg_max", which would be more accurate than "summarize min". "arg_max" is intended exactly to return the the record that has a maximum value, in this case the record with the maximum TimeGenerated (meaning it is the latest record found). For example:
Perf | where TimeGenerated > ago(1d) | where ObjectName == "LogicalDisk" and CounterName == "% Free Space" | summarize (TimeGenerated, Free_Space_Percent)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName | where strlen(InstanceName) ==2 and InstanceName contains ":"
The above example will returns the maximum free space percent for each computer and instance:
The same can be done for free MB.
To combine the results of both calculations I recommend using "Join", which lets you match results by computer and instance names. See the join example here.
The results look like this:
HTH,
Noa
KrishnaChaitanya
Aug 27, 2021Copper Contributor
Hi Noa,
I've followed your approach to find disk size of each drive for Windows VM's and it is working well. I've validated it against the disk size in portal and they are matching!!
But when I tried to use the same approach for Linux VM's it's not working.
I want to find the size of each data disk from two metrics : % Used Space and Free Megabytes.
Linux Vm's have % Used Space metric instead of % Free Space. So, I've calculated the % Free Space by subtracting % Used space from 100.
I've calculated disksize = (((Free Megabytes/(100 - % Used Space))*100)/1024).
But the resultant disk size did not match with the disk size in portal.
Can you please help me regarding this
Thank you