Azure Data Explorer - Log query

0
votes

Can someone share me an example of how i can write a single azure log query for the disk space for computers with different threshold values.

Below is the way i am writing my query for handling the computers with different threshold values. I want to know if there is any other better way of doing the same in a single query

Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where strlen(InstanceName) ==2 and InstanceName contains ":"
| where Computer !in~ ("DUFFVEEAMREPO01","TORFILE01")
| extend ComputerDrive= strcat(Computer, ' - ', InstanceName)
| summarize Free_Space = min(CounterValue) by ComputerDrive
| sort by Free_Space asc
| where Free_Space< 10)
//////////////////////////////////////////////
| union kind=outer (Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where Computer contains "DUFFVEEAMREPO01" and InstanceName == "K:"
| where strlen(InstanceName) ==2 and InstanceName contains ":"
| extend drive = strcat(Computer, ' - ', InstanceName)
| summarize Free_Space = min(CounterValue) by ComputerDrive
| sort by Free_Space asc
| where Free_Space< 1)
//////////////////////////////////////////////
| union kind=outer (Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where Computer contains "DUFFVEEAMREPO01" and InstanceName == "I:"
| where strlen(InstanceName) ==2 and InstanceName contains ":"
| extend drive = strcat(Computer, ' - ', InstanceName)
| summarize Free_Space = min(CounterValue) by ComputerDrive
| sort by Free_Space asc
| where Free_Space< 2.5)
//////////////////////////////////////////////
| union kind=outer (Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where Computer contains "TORFILE01" and InstanceName == "F:"
| where strlen(InstanceName) ==2 and InstanceName contains ":"
| extend drive = strcat(Computer, ' - ', InstanceName)
| summarize Free_Space = min(CounterValue) by ComputerDrive
| sort by Free_Space asc
| where Free_Space< 2.5)
//////////////////////////////////////////////
| union kind=outer (Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| where Computer contains "TORFILE01" and InstanceName == "K:"
| where strlen(InstanceName) ==2 and InstanceName contains ":"
| extend drive = strcat(Computer, ' - ', InstanceName)
| summarize Free_Space = min(CounterValue) by ComputerDrive
| sort by Free_Space asc
| where Free_Space< 5)




Thanks
Swapna
1
azureazure-data-explorerkql

1 Answers

0
votes

I think the three queries which you posted , i can see the difference in instanceName and also the Computer name . I think you can use the IN clause and improve the query .

Something like InstanceName IN ("I:", "K:", "F:")