Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Monitor and alert on Windows disk usage

This example discusses searches you can use to monitor and report on Windows disk usage. It also walks through the steps for setting up a conditional alert that sends an email when the disk usage falls below a certain percentage.


I am setting up a search to alert me when a Windows host or Linux host runs below a certain percentage of Diskspace.

I have tried to schedule alerts based upon Windows Event codes:

host="*" source="wineventlog:system"(\"EventID=4133\"OR \"EventID=1082\")

However it is not as useful as measuring the disks usage and alerting when the usage falls below say 10%:

index="os" sourcetype="df" host=* | multikv fields FileSystem, UsePct | strcat host '@' Filesystem Host_FileSystem | convert rmunit(UsePct) | search UsePct < 11 | timechart

Disk Utilization Report

source="wmi:localphysicaldisk" "Name=Total" | timechart avg (UsePct) as "Disk Space", avg(DiskUsage) as "Disk Usage %"

Set up conditional alert

content coming soon!

Reporting: Compare hourly sums between multiple days

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters