Azure Log Analytics: Disk Space Usage ; Part 3


Azure Log Analytics: Disk Space Usage ; Part 3

Category    Log Analytics Syntax v2 ; OMS Syntax

As promised here is Part 3

Part 1: https://blogs.msdn.microsoft.com/ukhybridcloud/2017/12/08/azure-log-analytics-disk-space-usage/

Part 2: http://blogs.msdn.microsoft.com/ukhybridcloud/2018/05/17/azure-log-analytics-disk-space-usage-part-2/

Part 3: this post

In this post we'll look at Trends and doing an estimate. My query now looks like the one further down this article (see Final Code Sample), let's talk about the changes:

  1. I'm just looking at a single Computer (this is a good idea as it's easier to graph one machine).
    So I've added a | where Computer startswith
    "W"

    (as my computer starts with a "w" – please adjust to suit)
  2. Then we use the Make-Series operator (and I suggest you look at the Charting tutorials in the docs and this Tutorial). I store the details in a variable called Y (for the Y-Axis)
    If I just ran the code up until this line, you can see that two arrays are created, Y and TimeGenerated.

  3. We then need to use Extend, however the best examples for that are under Linear Regression using series_fit_line. There are a lot of "Series_nnnnn_yyyyyy" examples in the docs, such as: https://docs.loganalytics.io/docs/Language-Reference/Scalar-functions/series_fill_forward()

The final code sample:

// Chart C: over the past nn days - Show a Trend Line

let startDate = ago(60d); // enter how many days to look back on

Perf

| where TimeGenerated > startDate

| where ObjectName == "LogicalDisk"
and CounterName == "% Free Space"

| where Computer startswith
"W"

| where InstanceName contains
"C:"

| make-series y = min(CounterValue) on TimeGenerated in range(startDate,now(), 1d)

| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(y)

| render timechart

Which looks like this:

Note: You do need a good amount of non-zero data, to get a good trend slope. I have a few servers that are switched off a lot and that will often mean the LineFit is very wrong. I need to look at a way of seeing if there are too many data points with a value of zero– a task for another day and article

Now what if we wish to predict how many days are left before we get to zero % free.

// Chart C: over the past nn days - How many days have we got left for a Named Computer?

let startDate = ago(60d); // enter how many days to look back on

Perf

| where TimeGenerated > startDate

| where ObjectName == "LogicalDisk"
and CounterName == "% Free Space"

| where Computer startswith
"W"
// name your computer

| where InstanceName contains
"C:"

| make-series y = min(CounterValue) on TimeGenerated in range(startDate,now(), 1d)

| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(y)

| extend DaysTo0= (-1 * Interception) / Slope

| project round(DaysTo0,0)

In the above, I have made two additions:

  1. | extend DaysTo0= (-1 * Interception) / Slope
    This syntax is used to calculate the days until we reach zero.
  2. | project round(DaysTo0,0)

    With the last line we just project the result, I also used Round to get rid of the extra decimal places)

This latest result gives us an output of:

Now what if we wish to predict how many days are left before we get to zero % free. Let's do this on ALL Computers

// Chart C: over the past nn days - How many days have we got left on all Computers?

let startDate = ago(60d); // enter how many days to look back on

let daysToEstimate = 365; // show computers with less than a year of disk space

Perf

| where TimeGenerated > startDate

| where ObjectName == "LogicalDisk"
and CounterName == "% Free Space"

| where InstanceName contains
"C:"

| make-series y = min(CounterValue) on TimeGenerated in range(startDate,now(), 1d) by Computer

| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(y)

| extend DaysTo0= (-1 * Interception) / Slope

| where DaysTo0 > 0
and DaysTo0 < daysToEstimate // filter any negative trending computers

| project Computer, round(DaysTo0,0)

In the above I added a daysToEstimate variable set to 1 year. I then changed the make-series line by appending "by Computer" and removed the line to look for a single computer.

I also didn't want to see any negative values (computers that have had spaced cleared and are now trending the wrong way.

It makes a good BarChart as well

Remember with any trend calculation its only a good as the data you have, so the more data points the better. There are others ways of doing this, but this I hope is a good starter post?

That's all for now!

Comments (0)

Skip to main content