This is somewhat of a repeat question, but since the original is a couple of years old and does not produce results for me, I am resurrecting it to see if methods have changed.
I get Perfmon results in my splunk instance for total drive space instead of for individual drives (which would be more valuable). I tried using the tips in this article, but still meet with failure: http://answers.splunk.com/answers/41550/getting-drive-specific-disk-space-information-from-hosts.htm...
Please help! how can I get my individual drive data?
In the inputs.conf collecting your data, make sure you set instance = *
instead of instance = Total
. Then check that you're getting events for each instance rather than just combined values.
Well, I'm slowly running out of questions to ask... anything interesting in _internal for that forwarder?
Do open a support ticket for this, sounds very fishy indeed.
Hummm. What happens if you explicitly list instances that are available in the local Perfmon?
I tried. same problem.
Restarted the UF after making the inputs.conf change?
Affirmative
So, are there any events with instance
not equals Total?
Nope. That's what I'm trying to accomplish!
Have done so already:
[perfmon:FreeDiskSpace]
counters = Free Megabytes;% Free Space
disabled = 0
instances = *
interval = 5
object = LogicalDisk
I saw your comment on the other post as well. I have no index called perfstats, and there is no field called %_Free_Space in my perfmon sourcetype. When I adjusted your search to match the value field in perfmon, it listed it (as your query suggests) by the host name only, NOT by drive letter.
Sorry!
What field are you using to get the total drive space? I hit that same problem, but was initially using %_Free_Space and it would return free space percentage across all drives.
Here's a sample of my data:
Host Value app collection counter eventtype host index instance linecount object product punct source sourcetype splunk_server unix_category unix_group vendor raw _time
apset0725 56.79023063 Free Disk Space % Free Space perfmon windows_performance apset0725 it_test _Total 6 LogicalDisk //::.-\r=""\r=\r="%"\r=\r=. Perfmon:Free Disk Space Perfmon:Free Disk Space apsrd3084 all_hosts default "12/12/2014 15:23:17.778 -0600
collection=""Free Disk Space""
object=LogicalDisk
counter=""% Free Space""
instance=_Total
Value=56.790230633446193" 2014-12-12T15:23:17.000-0600
apset0725 78500 Free Disk Space Free Megabytes perfmon windows_performance apset0725 it_test _Total 6 LogicalDisk //::.-\r=""\r=\r=""\r=\r= Perfmon:Free Disk Space Perfmon:Free Disk Space apsrd3084 all_hosts default "12/12/2014 15:23:17.778 -0600
collection=""Free Disk Space""
object=LogicalDisk
counter=""Free Megabytes""
instance=_Total
Value=78500" 2014-12-12T15:23:17.000-0600
Try this for drive C, for example.
index=perfstats host=servername C | timechart avg("%_Free_Space") by host
or for drive D
index=perfstats host=servername D | timechart avg("%_Free_Space") by host