Monitor and alert on Windows disk usage
Monitor and alert on Windows disk usage
This example discusses searches you can use to monitor and report on Windows disk usage. It also walks through the steps for setting up a conditional alert that sends an email when the disk usage falls below a certain percentage.
Scenario
I am setting up a search to alert me when a Windows host or Linux host runs below a certain percentage of Diskspace.
I have tried to schedule alerts based upon Windows Event codes:
host="*" source="wineventlog:system"(\"EventID=4133\"OR \"EventID=1082\")However it is not as useful as measuring the disks usage and alerting when the usage falls below say 10%:
index="os" sourcetype="df" host=* | multikv fields FileSystem, UsePct |
strcat host '@' Filesystem Host_FileSystem | convert rmunit(UsePct) | search UsePct < 11 | timechartDisk Utilization Report
source="wmi:localphysicaldisk" "Name=Total" | timechart avg
(UsePct) as "Disk Space", avg(DiskUsage) as "Disk Usage %"Set up conditional alert
content coming soon!
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.