Forum Discussion

Rajinder Rahul's avatar
Rajinder Rahul
Copper Contributor
Feb 17, 2018

Help with Disk query in Log Analytics

Hi

 

I was wondering if I could get some help with Log analytics. New to this so bear with me.

 

I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've gottwo commands (below), however I'm not able to merge them as I would like one query which gives me % free space, overall size of disk, name of vm and name of disk. Anything else I can get in terms of disk usage would be great, not overly concerned with IOPs at the moment.

 

The commands are:

Thsi proivides info on free space: 

search ObjectName == "LogicalDisk" and CounterName == "% Free Space"

 

This one provides information on free Mb remaining.

search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes"

 

I have tried this which helps, but again information is quite limited

search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" and TimeGenerated > ago(1d)
| summarize FreeSpace = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and InstanceName contains ":"

 

Thanks in advance 🙂

 

  • Hi Rajinder Rahul,

     

    Your question is very popular, indeed many times users want to get the latest report of a computer performance counter (such as free space). Note that the overall size of the disk is not reported AFAIK but the free percent of it and free MB are.

     

    First, I highly recommend to start with the table name (Perf), to avoid unneeded search of the entire DB.

     

    To get the latest report I suggest using "arg_max", which would be more accurate than "summarize min". "arg_max" is intended exactly to return the the record that has a maximum value, in this case the record with the maximum TimeGenerated (meaning it is the latest record found). For example:

    Perf
    | where TimeGenerated > ago(1d)
    | where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
    | summarize (TimeGenerated, Free_Space_Percent)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
    | where strlen(InstanceName) ==2 and InstanceName contains ":"

     

    The above example will returns the maximum free space percent for each computer and instance:

    The same can be done for free MB.

     

    To combine the results of both calculations I recommend using "Join", which lets you match results by computer and instance names. See the join example here.

    The results look like this:

    HTH,

    Noa

     
  • DevOps220's avatar
    DevOps220
    Copper Contributor

    How to check the disk failure in log analytics


    Rajinder Rahul wrote:

    Hi

     

    I was wondering if I could get some help with Log analytics. New to this so bear with me.

     

    I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've gottwo commands (below), however I'm not able to merge them as I would like one query which gives me % free space, overall size of disk, name of vm and name of disk. Anything else I can get in terms of disk usage would be great, not overly concerned with IOPs at the moment.

     

    The commands are:

    Thsi proivides info on free space: 

    search ObjectName == "LogicalDisk" and CounterName == "% Free Space"

     

    This one provides information on free Mb remaining.

    search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes"

     

    I have tried this which helps, but again information is quite limited

    search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" and TimeGenerated > ago(1d)
    | summarize FreeSpace = min(CounterValue) by Computer, InstanceName
    | where strlen(InstanceName) ==2 and InstanceName contains ":"

     

    Thanks in advance :)

     


     

    • krish317's avatar
      krish317
      Copper Contributor
      Hi
      I am Trying to create query for the disk IOPS and below is the query, I was getting data but i am not sure whether this the correct one to monitor the disk IOPS
      Can someone have a quick look and respond 🙂
      Perf
      | where ObjectName == "LogicalDisk" and CounterName == "Disk Transfers/sec" and InstanceName != "_Total" and InstanceName !contains "HarddiskVolume"
      | summarize IopsAvg = avg(CounterValue), IopsMax = max(CounterValue) by InstanceName,Computer
      | project Computer,InstanceName,IopsAvg,IopsMax
  • Hi Rajinder Rahul,

     

    Your question is very popular, indeed many times users want to get the latest report of a computer performance counter (such as free space). Note that the overall size of the disk is not reported AFAIK but the free percent of it and free MB are.

     

    First, I highly recommend to start with the table name (Perf), to avoid unneeded search of the entire DB.

     

    To get the latest report I suggest using "arg_max", which would be more accurate than "summarize min". "arg_max" is intended exactly to return the the record that has a maximum value, in this case the record with the maximum TimeGenerated (meaning it is the latest record found). For example:

    Perf
    | where TimeGenerated > ago(1d)
    | where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
    | summarize (TimeGenerated, Free_Space_Percent)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
    | where strlen(InstanceName) ==2 and InstanceName contains ":"

     

    The above example will returns the maximum free space percent for each computer and instance:

    The same can be done for free MB.

     

    To combine the results of both calculations I recommend using "Join", which lets you match results by computer and instance names. See the join example here.

    The results look like this:

    HTH,

    Noa

     
    • KrishnaChaitanya's avatar
      KrishnaChaitanya
      Copper Contributor

      Noa Kuperberg 

      Hi Noa,

      I've followed your approach to find disk size of each drive for Windows VM's and it is working well. I've validated it against the disk size in portal and they are matching!!

      But when I tried to use the same approach for Linux VM's it's not working.

      I want to find the size of each data disk from two metrics : % Used Space and Free Megabytes.

      Linux Vm's have % Used Space metric instead of % Free Space. So, I've calculated the % Free Space by subtracting % Used space from 100.

      I've calculated disksize = (((Free Megabytes/(100 - % Used Space))*100)/1024).

      But the resultant disk size did not match with the disk size in portal.

      Can you please help me regarding this

       

      Thank you  

    • Pratyusha1609's avatar
      Pratyusha1609
      Copper Contributor

      Noa Kuperberg 

      Hi Noa, the "% Free Space" query somehow does not show any data for me.
      I have a log analytics workspace with 2 VMs connected. 

      Any idea why they dont show? What setting am I missing here ?

    • Rajinder Rahul's avatar
      Rajinder Rahul
      Copper Contributor

      Thanks Noa

       

      That's a great help, would you know if I can get "% Used Space", would be good to add any other metrics I can regarding logicaldisk information

       

      Thanks 

      • Noa Kuperberg's avatar
        Noa Kuperberg
        Icon for Microsoft rankMicrosoft

        Hey,

        You can do the same calculation with many disk counters.

        I checked the reports from the last day to evaluate that (I believe it covers all or most of the possible disk counters)

        • Disk Transfers/sec
        • Current Disk Queue Length
        • Avg. Disk sec/Write
        • Avg. Disk sec/Read
        • Disk Reads/sec
        • % Free Space
        • Free Megabytes
        • Disk Writes/sec

Resources