Assiatnce with KQL (Disk space high alert)

%3CLINGO-SUB%20id%3D%22lingo-sub-1467348%22%20slang%3D%22en-US%22%3EAssiatnce%20with%20KQL%20(Disk%20space%20high%20alert)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1467348%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20using%20KQL%20language%20under%20log%20analytics%20workspace%20(Azure%20monitoring)%3C%2FP%3E%3CP%3EPerf%3CBR%20%2F%3E%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%20and%20Computer%20!%3D%20%22net-fs3.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22NET-FS1.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22NET-SQL3.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22NET-EDMLIVEDB1.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22NET-EDM_KOFAX1.networkhg.org.uk%22%3CBR%20%2F%3E%7Csummarize%20Free_Space%20%3D%20min(CounterValue)%20by%20Computer%2C%20InstanceName%3CBR%20%2F%3E%7C%20where%20strlen(InstanceName)%20%3D%3D%202%20and%20InstanceName%20contains%20%22%3A%22%20and%20Computer%20!%3D%20%22NET-REPAIR2.networkhg.org.uk%22%20and%20InstanceName%20!contains%20%22%3AE%22%20and%20Computer%20!%3D%20%22NH-E2016-01.networkhg.org.uk%22%20and%20InstanceName%20!contains%20%22%3AE%22%20and%20Computer%20!%3D%20%22NH-E2016-02.networkhg.org.uk%22%20and%20InstanceName%20!contains%20%22%3AE%22%20and%20Computer%20!%3D%20%22net-boxi1.networkhg.org.uk%22%20and%20InstanceName%20!contains%20%22%3AD%22%3CBR%20%2F%3E%7C%20where%20Free_Space%20%26lt%3B%2010%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20help%20me%20with%20this%26nbsp%3B%20query%2C%20I%20want%20to%20make%20sure%20that%2C%20only%20one%20of%20instance%20of%20the%20computer%20is%20being%20monitored%20instead%20of%20all%2C%20for%20example%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EComputer%20!%3D%20%22net-boxi1.networkhg.org.uk%22%20and%20InstanceName%20!contains%20%22%3AD%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20instance%20I%20want%20that%20computer%20to%20avoid%20D%20drive%20instead%20of%20all%20drives%2C%20like%20I%20have%20specified%20in%20the%20query%20for%20all%20the%20computers%2C%20as%20I%20want%20other%20drives%20to%20be%20monitored%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1467348%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ekql%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1467789%22%20slang%3D%22en-US%22%3ERe%3A%20Assiatnce%20with%20KQL%20(Disk%20space%20high%20alert)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1467789%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20this%20right%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EPerf%0A%2F%2F%20set%20up%20filters%0A%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%20%0A%7C%20where%20strlen(InstanceName)%20%3D%3D%202%20and%20InstanceName%20contains%20%22%3A%22%20%0A%2F%2F%20exclude%20ALL%20these%20named%20computers%20%0A%7C%20where%20Computer%20!in%20(%22net-fs3.networkhg.org.uk%22%2C%22NET-FS1.networkhg.org.uk%22%2C%22NET-SQL3.networkhg.org.uk%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22NET-EDMLIVEDB1.networkhg.org.uk%22%2C%22NET-EDM_KOFAX1.networkhg.org.uk%22)%0A%2F%2F%20Show%20all%0A%7C%20summarize%20Free_Space%20%3D%20min(CounterValue)%20by%20Computer%20%2C%20InstanceName%0A%2F%2F%20Exclude%20these%20drive%20%2F%20Computer%20combinations%0A%2F%2F%20Use%20a%20%221%22%20to%20denaote%20an%20exclude%20else%20%220%22%0A%7C%20extend%20ComputerList%20%3D%20case(%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Computer%20%3D%3D%20%22NET-REPAIR2.networkhg.org.uk%22%20and%20InstanceName%20%3D%3D%20%22E%3A%22%2C1%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Computer%20%3D%3D%20%22NH-E2016-01.networkhg.org.uk%22%20and%20InstanceName%20%3D%3D%20%22E%3A%22%2C1%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Computer%20%3D%3D%20%22NH-E2016-02.networkhg.org.uk%22%20and%20InstanceName%20%3D%3D%20%22E%3A%22%2C1%2C%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Computer%20%3D%3D%20%22net-boxi1.networkhg.org.uk%22%20%20%20and%20InstanceName%20%3D%3D%20%22D%3A%22%2C1%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2F%2Felse%20zero%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%200)%0A%7C%20where%20ComputerList%20!%3D1%0A%7C%20where%20Free_Space%20%26lt%3B%2010%0A%7C%20project-away%20ComputerList%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1468541%22%20slang%3D%22en-US%22%3ERe%3A%20Assiatnce%20with%20KQL%20(Disk%20space%20high%20alert)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1468541%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3Bthanks%2C%20it%20worked%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1468547%22%20slang%3D%22en-US%22%3ERe%3A%20Assiatnce%20with%20KQL%20(Disk%20space%20high%20alert)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1468547%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3Bthanks%20it%20worked%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I am using KQL language under log analytics workspace (Azure monitoring)

Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and Computer != "net-fs3.networkhg.org.uk" and Computer != "NET-FS1.networkhg.org.uk" and Computer != "NET-SQL3.networkhg.org.uk" and Computer != "NET-EDMLIVEDB1.networkhg.org.uk" and Computer != "NET-EDM_KOFAX1.networkhg.org.uk"
|summarize Free_Space = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) == 2 and InstanceName contains ":" and Computer != "NET-REPAIR2.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-02.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"
| where Free_Space < 10

 

Can you please help me with this  query, I want to make sure that, only one of instance of the computer is being monitored instead of all, for example

 

Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"

 

In this instance I want that computer to avoid D drive instead of all drives, like I have specified in the query for all the computers, as I want other drives to be monitored

3 Replies
Highlighted

@Arslan11 

 

Is this right?

 

Perf
// set up filters
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" 
| where strlen(InstanceName) == 2 and InstanceName contains ":" 
// exclude ALL these named computers 
| where Computer !in ("net-fs3.networkhg.org.uk","NET-FS1.networkhg.org.uk","NET-SQL3.networkhg.org.uk",
                    "NET-EDMLIVEDB1.networkhg.org.uk","NET-EDM_KOFAX1.networkhg.org.uk")
// Show all
| summarize Free_Space = min(CounterValue) by Computer , InstanceName
// Exclude these drive / Computer combinations
// Use a "1" to denaote an exclude else "0"
| extend ComputerList = case(
                            Computer == "NET-REPAIR2.networkhg.org.uk" and InstanceName == "E:",1,
                            Computer == "NH-E2016-01.networkhg.org.uk" and InstanceName == "E:",1,
                            Computer == "NH-E2016-02.networkhg.org.uk" and InstanceName == "E:",1,   
                            Computer == "net-boxi1.networkhg.org.uk"   and InstanceName == "D:",1,
                            //else zero
                            0)
| where ComputerList !=1
| where Free_Space < 10
| project-away ComputerList

 

Highlighted

@Clive Watson thanks, it worked

Highlighted

@Clive Watson thanks it worked