Get Perfmon drive info for specific disks Splunk 6...

feickertmd · ‎12-12-2014

This is somewhat of a repeat question, but since the original is a couple of years old and does not produce results for me, I am resurrecting it to see if methods have changed.

I get Perfmon results in my splunk instance for total drive space instead of for individual drives (which would be more valuable). I tried using the tips in this article, but still meet with failure: http://answers.splunk.com/answers/41550/getting-drive-specific-disk-space-information-from-hosts.htm...

Please help! how can I get my individual drive data?

martin_mueller · ‎12-13-2014

In the inputs.conf collecting your data, make sure you set instance = * instead of instance = Total. Then check that you're getting events for each instance rather than just combined values.

martin_mueller · ‎12-16-2014

Well, I'm slowly running out of questions to ask... anything interesting in _internal for that forwarder?

Do open a support ticket for this, sounds very fishy indeed.

martin_mueller · ‎12-15-2014

Hummm. What happens if you explicitly list instances that are available in the local Perfmon?

feickertmd · ‎12-16-2014

I tried. same problem.

martin_mueller · ‎12-15-2014

Restarted the UF after making the inputs.conf change?

feickertmd · ‎12-15-2014

Affirmative

martin_mueller · ‎12-15-2014

So, are there any events with instance not equals Total?

feickertmd · ‎12-15-2014

Nope. That's what I'm trying to accomplish!

feickertmd · ‎12-15-2014

Have done so already:

[perfmon:FreeDiskSpace]
counters = Free Megabytes;% Free Space
disabled = 0
instances = *
interval = 5
object = LogicalDisk

feickertmd · ‎12-12-2014

I saw your comment on the other post as well. I have no index called perfstats, and there is no field called %_Free_Space in my perfmon sourcetype. When I adjusted your search to match the value field in perfmon, it listed it (as your query suggests) by the host name only, NOT by drive letter.

Sorry!

mark_chuman · ‎12-12-2014

What field are you using to get the total drive space? I hit that same problem, but was initially using %_Free_Space and it would return free space percentage across all drives.

feickertmd · ‎12-12-2014

Here's a sample of my data:

Host Value app collection counter eventtype host index instance linecount object product punct source sourcetype splunk_server unix_category unix_group vendor raw _time
apset0725 56.79023063 Free Disk Space % Free Space perfmon windows_performance apset0725 it_test _Total 6 LogicalDisk //::.-\r=""\r=\r="%"\r=\r=. Perfmon:Free Disk Space Perfmon:Free Disk Space apsrd3084 all_hosts default "12/12/2014 15:23:17.778 -0600
collection=""Free Disk Space""
object=LogicalDisk
counter=""% Free Space""
instance=_Total
Value=56.790230633446193" 2014-12-12T15:23:17.000-0600
apset0725 78500 Free Disk Space Free Megabytes perfmon windows_performance apset0725 it_test _Total 6 LogicalDisk //::.-\r=""\r=\r=""\r=\r= Perfmon:Free Disk Space Perfmon:Free Disk Space apsrd3084 all_hosts default "12/12/2014 15:23:17.778 -0600
collection=""Free Disk Space""
object=LogicalDisk
counter=""Free Megabytes""
instance=_Total
Value=78500" 2014-12-12T15:23:17.000-0600

mark_chuman · ‎12-12-2014

Try this for drive C, for example.

index=perfstats host=servername C | timechart avg("%_Free_Space") by host

or for drive D

index=perfstats host=servername D | timechart avg("%_Free_Space") by host

Get Perfmon drive info for specific disks Splunk 6.1

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes