Splunk Search

How to develop a search to find free disk space using Splunk for Windows server?

aparnaa
Path Finder

We have added the below code in out inputs.conf file for 50+ servers
I am not sure on how to check the free space via search

Can you please guide me on this?

We want to find the total used and available disk space

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
disabled = 0
instances = _Total
interval = 120
object = LogicalDisk
index = infra_index

Thanks
aparna

0 Karma

JDukeSplunk
Builder

Here's what we use. We just tacked this into Splunk_TA_Windows /local/inputs.conf

[perfmon://CPU Load]
index = perfmon
counters = % Processor Time;% User Time
instances = _Total
interval = 60
object = Processor

[perfmon://Available Memory]
index = perfmon
counters = Available Bytes
interval = 60
object = Memory

[perfmon://Free Disk Space]
index = perfmon
counters = Free Megabytes;% Free Space
instances = C:;D:;E:;F:
# 15 minutes
interval = 900
object = LogicalDisk

[perfmon://Network Interface]
index = perfmon
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 60
object = Network Interface

[perfmon://LocalPhysicalDisk]
index = perfmon
# 5 minutes
interval = 300
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time ;Avg. Disk Bytes/Read; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Write; Avg. Disk Queue Length; Avg. Disk Read Queue Length; Avg. Disk Write Queue Length; Avg. Disk sec/Read; Avg. Disk sec/Transfer; Avg. Disk sec/Write
instances = *
disabled = 0

Then this is the search we use.

    index=perfmon sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" (instance!="HarddiskVolume*") (instance!=_Total) |dedup host
| eval FreeSpace=(Value/1024)
| eval GB=tostring(FreeSpace,"commas")
| table host instance GB 
| sort + host instance
| rename instance as "Drive Letter" GB as "GigaBytes Free"

JDukeSplunk
Builder

One more, to find hosts with low C:\

index=perfmon sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" (instance!="HarddiskVolume*") (instance!=_Total) instance=C: Value < 5000  |dedup host | eval FreeSpace=(Value/1024)| eval GB=tostring(FreeSpace,"commas") | table host instance GB | sort + host instance | rename instance as "Drive Letter" GB as "GigaBytes Free"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Not sure if the perfmon stanza is correct (I've never seen 'Free Disk Space' as perfom input). If it's working for you then you can search the data in Splunk using following search (a sample one)

index=infra_index sourcetype="Perfmon:Free Disk Space" counter="Free Megabytes" | dedup host | eval {counter}=value | table host Free*

Updated input name
If it's not working, I would suggest to try [perfmon://Logical Disk] instead of [perfmon://Free Disk Space]

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hello @aparnaa - I just wanted to clarify something in your question, are you referring to a specific app or add-on in Splunkbase? https://splunkbase.splunk.com

If yes, please let me know which one it is so I can make sure your post is tagged properly to try to get more visibility for you. Thanks!

0 Karma

aparnaa
Path Finder

I am looking to get the details via search , is it possible ?

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Thanks for your reply, I will leave the tags as is.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...