Refine your search:

Can I chart the available disk space?

0

Hi Guys

I am trying to make a chart of disk space used over time but the query I have built (below) simply returns a result of '1' indicating that a value is present, how can I extract the value of 'Value' to use in a chart?

Here is an example of the data:

06/14/2011 12:30:59.466
collection="Free Disk Space"
object=LogicalDisk
counter="Free Megabytes"
instance=E:
Value=134341
host=ROMERO Options| sourcetype=Perfmon:Free Disk Space

Using this query:

host="romero" source="Perfmon:Free Disk Space" | timechart values(Value) as FreeSpace

I get a result that looks like this:

6/8/11 12:00:00.000 AM
134679 134681 134687 134691

6/9/11 12:00:00.000 AM
134529 134530 134531 134532 ... etc

When I chart this result, each Value, is shown on the chart with a value of '1' so each time-frame simply shows the number of values in that time period, which is the same every time period obviously, rather than using the actual values to draw the chart to show how much space is being used.

Is it possible extract these values for use in a chart?

Thanks :)

asked 13 Jun '11, 19:49

wishlist's gravatar image

wishlist
02
accept rate: 0%

One Answer:
oldestnewestmost voted
1

Sure. First, some explanation for how timechart behaves: timechart needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 of these events occurring within 1 minute. Splunk needs to know how to give you ONE value for "Value", even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg:

host="romero" source="Perfmon:Free Disk Space" | timechart span=1m avg(Value) as FreeSpace

Or, if you only want the values from the first of the events within the time period, use first instead of avg. Want the sum? Use sum. And so on. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

There's also a second way to do this, which is to produce a table containing timestamps and values yourself and then feed them into the chart.

host="romero" source="Perfmon:Free Disk Space" | table _time Values
link

answered 13 Jun '11, 22:05

Ayn's gravatar image

Ayn
25.2k3717
accept rate: 41%

Thanks Ayn :)

This:

host="romero" source="Perfmon:Free Disk Space" | timechart span=30m avg(Value) as FreeSpace

Worked a treat :D

D

nb. I changed the timespan, as the disk space is only read every 30 minutes.

(14 Jun '11, 16:41) wishlist

If this solved your issue, please click the checkbox next to the answer to "accept" it.

(27 Jul '11, 07:31) dwaddle ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×254
×4

Asked: 13 Jun '11, 19:49

Seen: 1,437 times

Last updated: 27 Jul '11, 07:31

Related questions

All Disk Drives in WIndows, One Chart, From Perfmon Data

How can I tune the splunk flash chart drawing?

Disk Space Pie Charts from "df" Script in UNIX App

How do I do a chart in splunk whereby I can forecast into the future?

How do I do a chart in splunk whereby I can forecast into the future?

How can I chart pairs of values within the same field

How do I format the output

How I can chart dates in a timechart

Copyright © 2005-2012 Splunk Inc. All rights reserved.