Splunk Search

Setting up visual for Disk Space or Free Disk Space/Radial Gauge for Disk Space

carlyleadmin
Contributor

Hi,

This task was harder than i think or i do not know what i am doing(most likely).Basically i want to put up a nice dashboard(radial gauge) where it shows the disk space over time,or real-time.so if i had 200gb space and i have 30gb free would like to show that on the gauge and over time with progress whether that number goes up or down.cpuld be a percentage as well.i hope this makes sense.here is my WMI.conf file

[WMI:LocalPhysicalDiskInfo]
interval = 300
wql = select Name, FreeSpace, Size from Win32_LogicalDisk
disabled = 0
index = main

i guess the first question would be like,do i need additional WQL statements such as percentage disk space etc?

so this is my search query
index="main" sourcetype="wmi:localphysicaldiskinfo" Name="C:" |

and this is what i got in returnalt text

and result would be something like this if it is not too much work.

alt text

Thanks in advance for all your help.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

To get %, just do this:

index="main" 
sourcetype="wmi:localphysicaldiskinfo" 
Name="C:"
| eval pct = 100 * FreeSpace / Size

View solution in original post

0 Karma

woodcock
Esteemed Legend

To get %, just do this:

index="main" 
sourcetype="wmi:localphysicaldiskinfo" 
Name="C:"
| eval pct = 100 * FreeSpace / Size
0 Karma

carlyleadmin
Contributor

Thanks for the quick response Woodcook. i am running this search now and when i try to put it in visualization but that is not working.can you tell me what i am doing wrong please.would this involve a complex search query to make visualization to work.below post mentions something like this https://answers.splunk.com/answers/568907/visual-chart-for-how-much-free-disk-space-is-avail.html

index="main" sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"|eval pct = 100 * FreeSpace / Size|timechart span=5m avg(pct) by Name

alt text

alt text

0 Karma

woodcock
Esteemed Legend

Try this:

index="main" sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"
| eval pct = 100 * FreeSpace / Size
| chart avg(pct) by Name

Select Radial Gauge visualization and then select Trellis by Name field.

0 Karma

carlyleadmin
Contributor

Thanks Woodcock.That was it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...