Inventory of Azure managed disks

Data required

Microsoft: Azure virtual machine data

Procedure

1. Configure the Microsoft Azure Add-on for Splunk.
2. Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype="azure:compute:disk"
|dedup id 
|stats latest(location) AS Location latest(managedBy) AS managedBy latest(name) AS name latest(properties.creationData.imageReference.id) AS imageReference latest(properties.diskSizeGB) AS diskSize latest(properties.diskState) AS diskState latest(properties.osType) AS osType latest(properties.provisioningState) AS provisioningState latest(sku.name) AS skuName latest(sku.tier) AS skuTier BY id 
|table name diskState diskSize osType provisioningState skuName skuTier 
|rename name AS Name diskState AS "Disk State" diskSize AS "Disk Size (GB)" osType AS "OS Type" provisioningState AS "Provisioning State" skuName AS "SKU Name" skuTier AS "SKU Tier"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Next steps

Sample results for this search are shown in the table below. The search provides useful information, such as the disk state. For example, if many disks are unattached, you might want to delete or archive them. Other fields can be used to determine if disks are being managed well. For example, the overuse of Premium SKU Tier is good to know about and can be found with this search. The size of disks is important too since many large or small disks can be reconfigured for optimization. 

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.