Query for Disk Space utilization

%3CLINGO-SUB%20id%3D%22lingo-sub-1369878%22%20slang%3D%22en-US%22%3EQuery%20for%20Disk%20Space%20utilization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369878%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20get%20the%20disk%20space%20information%20for%20some%20VMs%2C%20but%20I%20want%20to%20inform%20the%20VM%20Name%20that%20I%20need%20the%20information.%20Actually%20I'm%20using%20the%20below%20script%2C%20but%20if%2C%20I%20inform%20more%20than%20one%20VM%2C%20the%20script%20don't%20show%20the%20informations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3Elet%20start_time%3Dstartofday(%3C%2FSPAN%3E%3CSPAN%3Edatetime%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E%222020-05-06%22%3C%2FSPAN%3E%3CSPAN%3E))%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Elet%20end_time%3Dendofday(%3C%2FSPAN%3E%3CSPAN%3Edatetime%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E%222020-05-06%22%3C%2FSPAN%3E%3CSPAN%3E))%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EPerf%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20start_time%20%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26lt%3B%20end_time%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20ObjectName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22LogicalDisk%22%3C%2FSPAN%3E%20%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3E%20CounterName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22%25%20Free%20Space%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20InstanceName%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22D%3A%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22VM72%22%3C%2FSPAN%3E%20%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20c%3C%2FSPAN%3E%3CSPAN%3Eontains%3C%2FSPAN%3E%20%3CSPAN%3E%22VM073%22%3C%2FSPAN%3E%20%3CSPAN%3Eand%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EComputer%20c%3C%2FSPAN%3E%3CSPAN%3Eontains%3C%2FSPAN%3E%20%3CSPAN%3E%22VM74%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EPlease%2C%20someone%20can%20help%20me%20on%20this%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1369878%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1373210%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20for%20Disk%20Space%20utilization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1373210%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F115965%22%20target%3D%22_blank%22%3E%40Lucas%20Chies%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIN%20or%20Has_any%20could%20be%20used%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fbest-practices%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ebest%20practise%3C%2FA%3E%20is%20to%20prefer%20HAS%20over%20CONTAINS.%26nbsp%3B%20However%20this%20may%20be%20an%20issue%20if%20you%20really%20are%20looking%20for%20substrings%20like%20VM073%20(which%20is%20part%20of%20a%20name)%20-%20can%20you%20use%20the%20full%20name%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Elet%20start_time%3Dstartofday(datetime(%222020-05-06%22))%3B%0Alet%20end_time%3Dendofday(datetime(%222020-05-06%22))%3B%0APerf%0A%7C%20where%20TimeGenerated%20%26gt%3B%20start_time%20and%20TimeGenerated%20%26lt%3B%20end_time%0A%7C%20where%20Computer%20in%20(%22demo1%22%2C%22demo2%22%2C%22RETAILVM01%22)%0A%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%0A%7C%20where%20InstanceName%20has%20%22D%3A%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1373221%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20for%20Disk%20Space%20utilization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1373221%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F115965%22%20target%3D%22_blank%22%3E%40Lucas%20Chies%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20answer%20the%20original%20question%2C%20you%20could%20use%20OR%20rather%20than%20AND%2C%20or%20use%20regex%2C%20like%20this%3F%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Elet%20start_time%3Dstartofday(datetime(%222020-05-06%22))%3B%0Alet%20end_time%3Dendofday(datetime(%222020-05-06%22))%3B%0APerf%0A%7C%20where%20TimeGenerated%20%26gt%3B%20start_time%20and%20TimeGenerated%20%26lt%3B%20end_time%0A%7C%20where%20Computer%20matches%20regex%20'(%3Fi)%5Ba-z%5DVM0%2B'%20or%20Computer%20matches%20regex%20'(%3Fi)%5Ba-z%5DVM%2B'%0A%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%0A%7C%20where%20InstanceName%20has%20%22D%3A%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20simply%20using%20OR%20-%20see%20line%205%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Elet%20start_time%3Dstartofday(datetime(%222020-05-06%22))%3B%0Alet%20end_time%3Dendofday(datetime(%222020-05-06%22))%3B%0APerf%0A%7C%20where%20TimeGenerated%20%26gt%3B%20start_time%20and%20TimeGenerated%20%26lt%3B%20end_time%0A%7C%20where%20Computer%20contains%20%22retail%22%20or%20Computer%20contains%20%22demo%22%20%0A%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%0A%7C%20where%20InstanceName%20has%20%22D%3A%22%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

 

Hello all.

 

I'm trying to get the disk space information for some VMs, but I want to inform the VM Name that I need the information. Actually I'm using the below script, but if, I inform more than one VM, the script don't show the informations.

 

let start_time=startofday(datetime("2020-05-06"));
let end_time=endofday(datetime("2020-05-06"));
Perf
| where TimeGenerated > start_time and TimeGenerated < end_time
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where InstanceName contains "D:"
| where Computer contains "VM72" and Computer contains "VM073" and
Computer contains "VM74"
 
Please, someone can help me on this?
2 Replies

@Lucas Chies 

 

IN or Has_any could be used, best practise is to prefer HAS over CONTAINS.  However this may be an issue if you really are looking for substrings like VM073 (which is part of a name) - can you use the full name?

 

let start_time=startofday(datetime("2020-05-06"));
let end_time=endofday(datetime("2020-05-06"));
Perf
| where TimeGenerated > start_time and TimeGenerated < end_time
| where Computer in ("demo1","demo2","RETAILVM01")
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where InstanceName has "D:"

 

@Lucas Chies 

 

To answer the original question, you could use OR rather than AND, or use regex, like this?

let start_time=startofday(datetime("2020-05-06"));
let end_time=endofday(datetime("2020-05-06"));
Perf
| where TimeGenerated > start_time and TimeGenerated < end_time
| where Computer matches regex '(?i)[a-z]VM0+' or Computer matches regex '(?i)[a-z]VM+'
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where InstanceName has "D:"

 

and simply using OR - see line 5 

let start_time=startofday(datetime("2020-05-06"));
let end_time=endofday(datetime("2020-05-06"));
Perf
| where TimeGenerated > start_time and TimeGenerated < end_time
| where Computer contains "retail" or Computer contains "demo" 
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where InstanceName has "D:"