Inventory of unattached Azure managed disks
When you delete a virtual machine (VM) in Azure, by default, any disks that are attached to the VM aren't deleted. This helps to prevent data loss due to the unintentional deletion of VMs. However, after a VM is deleted, you continue to pay for unattached disks. You want to identify and delete any unattached disks so you can reduce unnecessary costs.
Data required
Microsoft: Azure managed disk data
Procedure
- Configure the Microsoft Azure Add-on for Splunk.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:compute:disk" |search properties.diskState="Unattached" |dedup id |stats latest(location) AS Location latest(managedBy) AS managedBy latest(name) AS name latest(properties.creationData.imageReference.id) AS imageReference latest(properties.diskSizeGB) AS diskSize latest(properties.diskState) AS diskState latest(properties.osType) AS osType latest(properties.provisioningState) AS provisioningState latest(sku.name) AS skuName latest(sku.tier) AS skuTier BY id |table name diskState diskSize osType provisioningState skuName skuTier |rename name AS Name diskState AS "Disk State" diskSize AS "Disk Size (GB)" osType AS "OS Type" provisioningState AS "Provisioning State" skuName AS "SKU Name" skuTier AS "SKU Tier"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
sourcetype="azure:compute:disk" |
Search only Azure managed disk data. |
|
|search properties.diskState="Unattached" |
Filter the results to only include those with a disk state of “Unattached”. |
|
|dedup id |
Remove results with duplicate IDs. |
|
|stats latest(location) AS Location latest(managedBy) AS managedBy latest(name) AS name latest(properties.creationData.imageReference.id) AS imageReference latest(properties.diskSizeGB) AS diskSize latest(properties.diskState) AS diskState latest(properties.osType) AS osType latest(properties.provisioningState) AS provisioningState latest(sku.name) AS skuName latest(sku.tier) AS skuTier BY id |
Return the latest value for the field. Simplify the field names for better readability. |
|
|table name diskState diskSize osType provisioningState skuName skuTier |
Display the results in a table with columns in the order shown. |
|
|rename name AS Name diskState AS "Disk State" diskSize AS "Disk Size (GB)" osType AS "OS Type" provisioningState AS "Provisioning State" skuName AS "SKU Name" skuTier AS "SKU Tier" |
Rename the fields as shown for better readability. |
Next steps
Sample results for this search are shown in the table below. The value of this data is getting a list of unattached disks that may be eligible for deletion or archival to reduce cost. When working with cloud infrastructure, it is important to search for and find things that may no longer be in use by your organization but may still be incurring charges.
| Name | Disk State | Disk Size (GB) | OS Type | Provisioning State | SKU Name | SKU Tier |
|---|---|---|---|---|---|---|
|
Test_OsDisk_1_32e1685f3eb247659c42cee472ce0b90 |
Unattached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
|
SupplierDB_OsDisk_1_860790bb55994899b1da4ef8ef87bd57 |
Unattached |
127 |
Windows |
Succeeded |
StandardSSD_LRS |
Standard |
|
brewer_disk1_96f7bb62aaca41c482ea7154996a91ff |
Unattached |
30 |
Linux |
Succeeded |
Premium_LRS |
Premium |
|
test_OsDisk_1_f4433b58935a4a57bea498f0ef1ea0d2 |
Unattached |
30 |
Linux |
Succeeded |
StandardSSD_LRS |
Standard |
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.