SOLVED

Assistance with Log Analytics Disk Query

Copper Contributor

Good Morning all,

 

I'm hoping to get some help with log analytics, I'm trying to write a simple query that returns the percentage of used disk space for both Windows and Linux VMs.

 

For Linux VMs the following works great and display exactly what I am looking for.

Hairy_Zeus_0-1627452534668.png

But if I change "Logical Disk" to "LogicalDisk" for Windows VMs it doesn't return any records

Hairy_Zeus_2-1627452680438.png

I can query free disk space on Windows VMs using this code from @Noa Kuperberg but I'm looking for used space, not free space.

 

Perf
| where ObjectName == "LogicalDisk" or // the object name used in Windows records
ObjectName == "Logical Disk" // the object name used in Linux records
| where CounterName == "Free Megabytes"
| summarize avg_free_disk_MB=avg(CounterValue) by Computer, InstanceName

 

Any help much appreciated.

 

Thanks!

 

4 Replies

@Hairy_Zeus You need two Perf counters, this is from a few years ago, so could be improved on I think, but it works or at least can give you an idea.

 

//
// combine % free and Free space to get volume size as well as %free
//

Perf
| where Computer startswith "RDS" 
// add other computers here
| where CounterName == "Free Megabytes"
| where TimeGenerated > startofday(ago(1d))
| where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
| summarize MbFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
| summarize arg_max(TimeGenerated, *) by Computer,InstanceName
|join kind= inner
(
    Perf
    | where CounterName == "% Free Space"
    | where TimeGenerated > startofday(ago(1d))
    | where InstanceName has ":" and strlen(InstanceName) ==2 // only look at drive letters
    | summarize PctFree=avg(CounterValue) by Computer,InstanceName,bin(TimeGenerated, 5m)
    | summarize arg_max(TimeGenerated, *) by Computer,InstanceName
)
on Computer , InstanceName 
| project   TotalSizeGB=round(MbFree*100/PctFree/1024,0), 
            round(PctFree,2),
            round(MbFree,2), 
            Computer, 
            InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
            DriveLetter = InstanceName,
            TotalSizeGB,
            FreeGB = round(MbFree / 1024,2)
| sort by DriveLetter  asc
| project Computer, DriveLetter, TotalSizeGB, FreeGB, FreePCT, Inuse = TotalSizeGB - FreeGB

 

@CliveWatson thanks for the reply, much appreciated. This is perfect for Windows servers but it doesn't look like it's pulling any data for Linux servers, any idea how I can pull the same data in the same query for Linux servers also?

best response confirmed by Hairy_Zeus (Copper Contributor)
Solution

@Hairy_Zeus

 

Maybe this?

 

Perf
//| where Computer !startswith "A" //or Computer startswith "J" //testing
| where TimeGenerated > startofday(ago(1d))
| where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes")
| where InstanceName !contains 'Harddisk' and InstanceName != '_Total'
| summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ), 
            Linux  =avgif(CounterValue, CounterName == "% Used Space"), 
            MbFree =avgif(CounterValue, CounterName == "Free Megabytes"),
            arg_max(TimeGenerated, Computer) by Computer, InstanceName 
| extend PctFree = iif(isnan(PctFree),Linux,PctFree)
| project-away Linux, Computer1
| project TotalSizeGB=round(MbFree*100/PctFree/1024,0), 
            round(PctFree,2),
            round(MbFree,2), 
            Computer, 
            InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
            InstanceName,
            TotalSizeGB,
            FreeGB = round(MbFree / 1024,2)
| sort by Computer asc, InstanceName asc
| project Computer, InstanceName, TotalSizeGB, FreeGB,  GBinUse = TotalSizeGB - FreeGB, FreePCT

 

This is exactly what I was looking for, you're a life saver. Thank you very much!
1 best response

Accepted Solutions
best response confirmed by Hairy_Zeus (Copper Contributor)
Solution

@Hairy_Zeus

 

Maybe this?

 

Perf
//| where Computer !startswith "A" //or Computer startswith "J" //testing
| where TimeGenerated > startofday(ago(1d))
| where CounterName in ( "% Free Space" , "% Used Space", "Free Megabytes")
| where InstanceName !contains 'Harddisk' and InstanceName != '_Total'
| summarize PctFree=avgif(CounterValue, CounterName == "% Free Space" ), 
            Linux  =avgif(CounterValue, CounterName == "% Used Space"), 
            MbFree =avgif(CounterValue, CounterName == "Free Megabytes"),
            arg_max(TimeGenerated, Computer) by Computer, InstanceName 
| extend PctFree = iif(isnan(PctFree),Linux,PctFree)
| project-away Linux, Computer1
| project TotalSizeGB=round(MbFree*100/PctFree/1024,0), 
            round(PctFree,2),
            round(MbFree,2), 
            Computer, 
            InstanceName
| summarize FreePCT=avg(PctFree) by Computer,
            InstanceName,
            TotalSizeGB,
            FreeGB = round(MbFree / 1024,2)
| sort by Computer asc, InstanceName asc
| project Computer, InstanceName, TotalSizeGB, FreeGB,  GBinUse = TotalSizeGB - FreeGB, FreePCT

 

View solution in original post