Inventory of Azure managed disks
As an administrator, you want to have a high-level view of the number and type of managed disks in your Azure infrastructure.
Data required
Microsoft: Azure virtual machine data
Procedure
- Configure the Microsoft Azure Add-on for Splunk.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:compute:disk" |dedup id |stats latest(location) AS Location latest(managedBy) AS managedBy latest(name) AS name latest(properties.creationData.imageReference.id) AS imageReference latest(properties.diskSizeGB) AS diskSize latest(properties.diskState) AS diskState latest(properties.osType) AS osType latest(properties.provisioningState) AS provisioningState latest(sku.name) AS skuName latest(sku.tier) AS skuTier BY id |table name diskState diskSize osType provisioningState skuName skuTier |rename name AS Name diskState AS "Disk State" diskSize AS "Disk Size (GB)" osType AS "OS Type" provisioningState AS "Provisioning State" skuName AS "SKU Name" skuTier AS "SKU Tier"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype="azure:compute:disk" |
Search only Azure managed disk data. |
|dedup id |
Remove results with duplicate IDs. |
|stats latest(location) AS Location latest(managedBy) AS managedBy latest(name) AS name latest(properties.creationData.imageReference.id) AS imageReference latest(properties.diskSizeGB) AS diskSize latest(properties.diskState) AS diskState latest(properties.osType) AS osType latest(properties.provisioningState) AS provisioningState latest(sku.name) AS skuName latest(sku.tier) AS skuTier BY id |
Return the latest information for each disk. Simplify the field names for better readability. |
|table name diskState diskSize osType provisioningState skuName skuTier |
Display the results in a table with columns in the order shown. |
|rename name AS Name diskState AS "Disk State" diskSize AS "Disk Size (GB)" osType AS "OS Type" provisioningState AS "Provisioning State" skuName AS "SKU Name" skuTier AS "SKU Tier" |
Rename the fields as shown for better readability. |
Next steps
Sample results for this search are shown in the table below. The search provides useful information, such as the disk state. For example, if many disks are unattached, you might want to delete or archive them. Other fields can be used to determine if disks are being managed well. For example, the overuse of Premium SKU Tier is good to know about and can be found with this search. The size of disks is important too since many large or small disks can be reconfigured for optimization.
Name | Disk State | Disk Size (GB) | OS Type | Provisioning State | SKU Name | SKU Tier |
---|---|---|---|---|---|---|
Ry-Win10_OsDisk_1_8e4e467763f14cde9d3a557797b88b01 |
Attached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
SPLUNKHF01_OsDisk_1_ae8001bff3534b28b1d8b319f2912b4d |
Attached |
30 |
Linux |
Succeeded |
Standard_LRS |
Standard |
Test_OsDisk_1_32e1685f3eb247659c42cee472ce0b90 |
Unattached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
WVD-Win10-0_OsDisk_1_1a45824068fd4d368a022b9802f2cd2e |
Attached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
CentOS_DataDisk_0 |
Reserved |
32 |
Succeeded |
Premium_LRS |
Premium |
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.