Splunk searches relating to Windows
clear
| mstats avg(_value) as avgValue WHERE metric_name="LogicalDisk.*" AND index=em_metrics span=auto by metric_name, host, instance | eval metric_name=metric_name."_".instance, avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename LogicalDisk.* as *, %_* as perc_*, *: as * | foreach * [ | rex field=<<FIELD>> "(?P<<FIELD>>.+)host(?P<host>.+)$" ]
| mstats avg(_value) as avgValue WHERE metric_name="Memory.*" AND "index"="em_metrics" span=auto by metric_name, host | eval avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename Memory.* as *, %* as *, */sec as *_per_sec | foreach * [ | rex field=<<FIELD>> "(?P<<<FIELD>>>.+)host(?P<host>.+)$" ]
| mstats avg(_value) as avgValue WHERE metric_name="Processor.%_Processor_Time" OR metric_name="Processor.%_Idle_Time" AND "index"="em_metrics" span=auto by metric_name, host | eval avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename Processor.%_* as perc_* | foreach perc_* [ | rex field=<<FIELD>> "(?P<<<FIELD>>>.+)host(?P<host>.+)$" ]
(index=windows OR index=perfmon OR index=os) sourcetype=perfmonMK:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes