You might want a comprehensive list of managed disks in your Azure infrastructure when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
|
Category |
Name |
Importance |
|
Data |
Active Directory audit data for users, sign-ins, and directories. Metrics and inventory metadata. |
Required |
|
Add-on |
Required |
|
|
Add-on |
Recommended |
|
|
App |
Recommended |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
As an administrator, you want to have a high-level view of the number and type of managed disks in your Azure infrastructure.
- Run the following search:
sourcetype="azure:compute:disk"
|dedup id
|stats latest(location) AS Location latest(managedBy) AS managedBy latest(name) AS name latest(properties.creationData.imageReference.id) AS imageReference latest(properties.diskSizeGB) AS diskSize latest(properties.diskState) AS diskState latest(properties.osType) AS osType latest(properties.provisioningState) AS provisioningState latest(sku.name) AS skuName latest(sku.tier) AS skuTier BY id
|table name diskState diskSize osType provisioningState skuName skuTier
|rename name AS Name diskState AS "Disk State" diskSize AS "Disk Size (GB)" osType AS "OS Type" provisioningState AS "Provisioning State" skuName AS "SKU Name" skuTier AS "SKU Tier"
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype="azure:compute:disk" |
Search only Azure managed disk data. |
|
|dedup id |
Remove results with duplicate IDs. |
|
|stats latest(location) AS Location latest(managedBy) AS managedBy latest(name) AS name latest(properties.creationData.imageReference.id) AS imageReference latest(properties.diskSizeGB) AS diskSize latest(properties.diskState) AS diskState latest(properties.osType) AS osType latest(properties.provisioningState) AS provisioningState latest(sku.name) AS skuName latest(sku.tier) AS skuTier BY id |
Return the latest information for each disk. Simplify the field names for better readability. |
|
|table name diskState diskSize osType provisioningState skuName skuTier |
Display the results in a table with columns in the order shown. |
|
|rename name AS Name diskState AS "Disk State" diskSize AS "Disk Size (GB)" osType AS "OS Type" provisioningState AS "Provisioning State" skuName AS "SKU Name" skuTier AS "SKU Tier" |
Rename the fields as shown for better readability. |
Result
Sample results for this search are shown in the table below. The search provides useful information, such as the disk state. For example, if many disks are unattached, you might want to delete or archive them. Other fields can be used to determine if disks are being managed well. For example, the overuse of Premium SKU Tier is good to know about and can be found with this search. The size of disks is important too since many large or small disks can be reconfigured for optimization.
|
Name |
Disk State |
Disk Size (GB) |
OS Type |
Provisioning State |
SKU Name |
SKU Tier |
|
Ry-Win10_OsDisk_1_8e4e467763f14cde9d3a557797b88b01 |
Attached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
|
SPLUNKHF01_OsDisk_1_ae8001bff3534b28b1d8b319f2912b4d |
Attached |
30 |
Linux |
Succeeded |
Standard_LRS |
Standard |
|
Test_OsDisk_1_32e1685f3eb247659c42cee472ce0b90 |
Unattached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
|
WVD-Win10-0_OsDisk_1_1a45824068fd4d368a022b9802f2cd2e |
Attached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
|
CentOS_DataDisk_0 |
Reserved |
32 |
Succeeded |
Premium_LRS |
Premium |
Comments
0 comments
Please sign in to leave a comment.