Splunk Search

Setting up visual for Disk Space or Free Disk Space/Radial Gauge for Disk Space

carlyleadmin
Contributor

Hi,

This task was harder than i think or i do not know what i am doing(most likely).Basically i want to put up a nice dashboard(radial gauge) where it shows the disk space over time,or real-time.so if i had 200gb space and i have 30gb free would like to show that on the gauge and over time with progress whether that number goes up or down.cpuld be a percentage as well.i hope this makes sense.here is my WMI.conf file

[WMI:LocalPhysicalDiskInfo]
interval = 300
wql = select Name, FreeSpace, Size from Win32_LogicalDisk
disabled = 0
index = main

i guess the first question would be like,do i need additional WQL statements such as percentage disk space etc?

so this is my search query
index="main" sourcetype="wmi:localphysicaldiskinfo" Name="C:" |

and this is what i got in returnalt text

and result would be something like this if it is not too much work.

alt text

Thanks in advance for all your help.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

To get %, just do this:

index="main" 
sourcetype="wmi:localphysicaldiskinfo" 
Name="C:"
| eval pct = 100 * FreeSpace / Size

View solution in original post

0 Karma

woodcock
Esteemed Legend

To get %, just do this:

index="main" 
sourcetype="wmi:localphysicaldiskinfo" 
Name="C:"
| eval pct = 100 * FreeSpace / Size
0 Karma

carlyleadmin
Contributor

Thanks for the quick response Woodcook. i am running this search now and when i try to put it in visualization but that is not working.can you tell me what i am doing wrong please.would this involve a complex search query to make visualization to work.below post mentions something like this https://answers.splunk.com/answers/568907/visual-chart-for-how-much-free-disk-space-is-avail.html

index="main" sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"|eval pct = 100 * FreeSpace / Size|timechart span=5m avg(pct) by Name

alt text

alt text

0 Karma

woodcock
Esteemed Legend

Try this:

index="main" sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"
| eval pct = 100 * FreeSpace / Size
| chart avg(pct) by Name

Select Radial Gauge visualization and then select Trellis by Name field.

0 Karma

carlyleadmin
Contributor

Thanks Woodcock.That was it.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...