Jul 27 2021
11:22 PM
- last edited on
Apr 08 2022
10:51 AM
by
TechCommunityAP
Jul 27 2021
11:22 PM
- last edited on
Apr 08 2022
10:51 AM
by
TechCommunityAP
Good Morning all,
I'm hoping to get some help with log analytics, I'm trying to write a simple query that returns the percentage of used disk space for both Windows and Linux VMs.
For Linux VMs the following works great and display exactly what I am looking for.
But if I change "Logical Disk" to "LogicalDisk" for Windows VMs it doesn't return any records
I can query free disk space on Windows VMs using this code from @Noa Kuperberg but I'm looking for used space, not free space.
Perf
| where ObjectName == "LogicalDisk" or // the object name used in Windows records
ObjectName == "Logical Disk" // the object name used in Linux records
| where CounterName == "Free Megabytes"
| summarize avg_free_disk_MB=avg(CounterValue) by Computer, InstanceName
Any help much appreciated.
Thanks!
Jul 29 2021 02:29 AM
@Hairy_Zeus You need two Perf counters, this is from a few years ago, so could be improved on I think, but it works or at least can give you an idea.
//
// combine % free and Free space to get volume size as well as %free
//
Perf
| where Computer startswith "RDS"
// add other computers here
| where CounterName == "Free Megabytes"
| where TimeGenerated > startofday(ago(1d))
| where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
| summarize MbFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
| summarize arg_max(TimeGenerated, *) by Computer,InstanceName
|join kind= inner
(
Perf
| where CounterName == "% Free Space"
| where TimeGenerated > startofday(ago(1d))
| where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
| summarize PctFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
| summarize arg_max(TimeGenerated, *) by Computer,InstanceName
)
on Computer , InstanceName
| project TotalSizeGB=round(MbFree*100/PctFree/1024,0),
round(PctFree,2),
round(MbFree,2),
Computer,
InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
DriveLetter = InstanceName,
TotalSizeGB,
FreeGB = round(MbFree / 1024,2)
| sort by DriveLetter asc
| project Computer, DriveLetter, TotalSizeGB, FreeGB, FreePCT, Inuse = TotalSizeGB - FreeGB
Jul 29 2021 05:04 AM
@CliveWatson thanks for the reply, much appreciated. This is perfect for Windows servers but it doesn't look like it's pulling any data for Linux servers, any idea how I can pull the same data in the same query for Linux servers also?
Jul 29 2021 09:21 AM
Solution
Maybe this?
Perf
//| where Computer !startswith "A" //or Computer startswith "J" //testing
| where TimeGenerated > startofday(ago(1d))
| where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes")
| where InstanceName !contains 'Harddisk' and InstanceName != '_Total'
| summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ),
Linux =avgif(CounterValue, CounterName == "% Used Space"),
MbFree =avgif(CounterValue, CounterName == "Free Megabytes"),
arg_max(TimeGenerated, Computer) by Computer, InstanceName
| extend PctFree = iif(isnan(PctFree),Linux,PctFree)
| project-away Linux, Computer1
| project TotalSizeGB=round(MbFree*100/PctFree/1024,0),
round(PctFree,2),
round(MbFree,2),
Computer,
InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
InstanceName,
TotalSizeGB,
FreeGB = round(MbFree / 1024,2)
| sort by Computer asc, InstanceName asc
| project Computer, InstanceName, TotalSizeGB, FreeGB, GBinUse = TotalSizeGB - FreeGB, FreePCT
Jul 29 2021 12:50 PM
Jul 29 2021 09:21 AM
Solution
Maybe this?
Perf
//| where Computer !startswith "A" //or Computer startswith "J" //testing
| where TimeGenerated > startofday(ago(1d))
| where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes")
| where InstanceName !contains 'Harddisk' and InstanceName != '_Total'
| summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ),
Linux =avgif(CounterValue, CounterName == "% Used Space"),
MbFree =avgif(CounterValue, CounterName == "Free Megabytes"),
arg_max(TimeGenerated, Computer) by Computer, InstanceName
| extend PctFree = iif(isnan(PctFree),Linux,PctFree)
| project-away Linux, Computer1
| project TotalSizeGB=round(MbFree*100/PctFree/1024,0),
round(PctFree,2),
round(MbFree,2),
Computer,
InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
InstanceName,
TotalSizeGB,
FreeGB = round(MbFree / 1024,2)
| sort by Computer asc, InstanceName asc
| project Computer, InstanceName, TotalSizeGB, FreeGB, GBinUse = TotalSizeGB - FreeGB, FreePCT