Exclude UBS drives from query results for Percentage FreeSpace

Copper Contributor

Hi,

 

I have the below query to alert on Percentage FreeSpace on Drives....we want to exclude UBS drives from the result set. Is there a way to figure if the instance is a UBS drive or not and exclude it from the Query. Appreciate your response on this.

 

Perf
| where CounterName == '% Free Space' and InstanceName != '_Total'
| where InstanceName !contains 'HarddiskVolume'
|summarize AggregatedValue=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
| where AggregatedValue < 5

 

Thanks

RC

 

 

1 Reply

@RCDevops777 

 

I suspect you'll need another source of data as well as the Perf table.  Ideas could be, a custom log (using PowerShell / Logic Apps, one example of this) to find this data and upload that to Log analytics, or enable auditing

However note, auditing would only have data (event id 4663) for new drives added.  

 

if you are lucky to have USB drives of a certain size then maybe exclude those?

Note: you need the extra Perf counter "Free Megabytes"

 

//
// combine % free and Free space to get volume size as well as %free
//

Perf
//| where Computer startswith "RDS" 
| where CounterName == "Free Megabytes"
| where TimeGenerated > startofday(ago(1d))
| where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
| summarize MbFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
| summarize arg_max(TimeGenerated, *) by Computer,InstanceName
|join kind= inner
(
    Perf
    | where CounterName == "% Free Space"
    | where TimeGenerated > startofday(ago(1d))
    | where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drives with letters
    | summarize PctFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
    | summarize arg_max(TimeGenerated, *) by Computer,InstanceName
)
on Computer , InstanceName 
| project   TotalSizeGB=round(MbFree*100/PctFree/1024,0), 
            round(PctFree,2),
            round(MbFree,2), 
            Computer, 
            InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
            DriveLetter = InstanceName,
            TotalSizeGB,
            FreeGB = round(MbFree / 1024,2)
| sort by DriveLetter  asc

Annotation 2019-04-25 085324.jpg

 

Example PowerShell: https://devblogs.microsoft.com/scripting/inventory-drive-types-by-using-powershell/ and https://docs.microsoft.com/en-us/azure/azure-monitor/platform/runbook-datacollect