Share via

Log Analytics Query to Get Specific Disk Letter Space

pierrot 46 Reputation points
2022-11-02T07:38:25.57+00:00

Hi,

I am trying to run a log query to:

  • Determine disk sizes equal or less than 30GB.
  • Get results based on select disks only.
  • Create Azure Monitor Rule based on disk drive and remaining free space (equal or less than 30GB).

I am running the below query, but I am getting multiple results per drive /per VM.

In summary, what I need help with, is to tidy up the query to make it work, and to create a monitor alert rule based on the query where C or D or E are equal to or less than 30Gb.

InsightsMetrics
| where Origin == "vm.azm.ms"
| where Namespace == "LogicalDisk" and Name == "FreeSpacePercentage" and Val <30
| extend Disk=tostring(todynamic(Tags)["vm.azm.ms/mountId"])
| summarize arg_max(Val,*) by bin(TimeGenerated, 30m), Computer, Disk
| where Disk == "C:"

Thanks.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,645 questions
0 comments
Accepted answer
  1. Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator
    2022-11-02T10:00:42.853+00:00

    Hi,
    I would suggest to have a look at my article about Log Alerts v2. I think it will be helpful as many things are configured on the alert rule rather in the query. Overall you query could be just: 

    InsightsMetrics  
| where Namespace == "LogicalDisk" and Name == "FreeSpacePercentage"  
| extend Disk=tostring(todynamic(Tags)["vm.azm.ms/mountId"])  
| extend Val = toint(Val)

    After that when you create alert rule you will select Compute or _ResourceId as dimension and you will include only the VMs you want. The same for Disk - selected as dimension and include only the Disks you want to be alerted upon. For comparing threshold, you will select Val column and enter your desired threshold. When you create the alert, you will get alerted per VM per Disk for the scoped VMs and disks.

    If you want to filter inside the query it is still possible but not necessary: 

    InsightsMetrics  
| where Namespace == "LogicalDisk" and Name == "FreeSpacePercentage" and Origin == "vm.azm.ms"  
| extend Disk=tostring(todynamic(Tags)["vm.azm.ms/mountId"])  
| where Disk in ('C:','D:','E:')  
| extend Val = toint(Val)

    I strongly recommend is that when you have alert rule to not define the threshold in the query. The same for summarization in the query when Log Alert v2 is used.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alistair Ross 7,466 Reputation points Microsoft Employee
    2022-11-02T10:08:18.813+00:00

    Hi @pierrot

    I've tidied up your query for alerting 

    let ThresholdGB = 30;  
InsightsMetrics  
| where Origin == "vm.azm.ms"  
| where Namespace == "LogicalDisk"  
| where Name == "FreeSpaceMB"  
| extend Disk = tostring(todynamic(Tags).['vm.azm.ms/mountId']) // Extract the disks  
| where Disk in ("C:","D:","E:") // Filter for the desired disks  
| summarize arg_max(TimeGenerated,*) by Computer, Disk // Get the most recent sample of the performance counter  
| where Val < (ThresholdGB * 1024) // Filter by a threshold, taking into account GB to MB Conversion  
| project TimeGenerated, Computer, Disk, FreeSpaceGB = round(Val /1024,2) // Tidy the results up

    I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

    Kind Regards

    Alistair

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.