Re: Help with Data Explorer query (filter on disk)

ct_27 · ‎27 Jun 2023

Team, Since Dynatrace doesn't distinguish between local and NFS mounted disk I need to find a way to fix a Top List graph to exclude disks with '\\' in their name since that would represent NFS mounted disk. The graph shows the top 100 disks in our environment ordered by disk.usedPct. This way we know in advance what disks are filling up and about to trigger alarms.

Here is my Query

builtin:host.disk.usedPct:splitBy("dt.entity.host","dt.entity.disk"):filter(not(contains("dt.entity.disk","\\"))):last:auto:sort(value(avg,descending)):limit(100)

But it essentially results in no change because 'dt.entity.disk' isn't the cosmetic name of the disk but rather the ID 'DISK-0E49522BDC9250CE'. So, from what I can tell, I can't filter out things like, give me drives that start with 'E' or give me drives that don't start with '\\'.

Am i missing something? Has anyone else had to figure out a solution for this?

HigherEd

dannemca · ‎27 Jun 2023

@ct_27

try this:

builtin:host.disk.usedPct:filter(not(in("dt.entity.disk",entitySelector("type(disk),entityName(~"\\~")")))):splitBy("dt.entity.host","dt.entity.disk"):last:auto:sort(value(avg,descending)):limit(100)

Site Reliability Engineer @ Kyndryl

ct_27 · ‎27 Jun 2023

unfortunately it did not, but you have a great idea to use the entity selector. I'm going to follow that lead and see where it takes me.

HigherEd

dannemca · ‎28 Jun 2023

That's odd, it worked just well to me. What are you getting with this query? Still returning '\\..." disks?

Site Reliability Engineer @ Kyndryl

ct_27 · ‎28 Jun 2023

[UPDATE 6/28 CT_27]

Nevermind.....once i applied the management zone it brought more things into view and a '\\' re-appeared.

(sorry for the heavy redaction)

@dannemca it works now. Ok, so I know a computer only does what you tell it and I totally pasted in your suggested query yesterday, as did my co-worker. It was still showing disks that started with '\\'. We even then tried to adjust the query to get it working. It always showed disks with '\\'.

I went in just now to give it a another try because I believe you when you said it worked for you. Sure enough, it worked instantly as you said it would.

Like many things in DT, I simply can't explain it. But ultimately it is the solution to my problem and I am very appreciative of it. Thank you again, this is great.

HigherEd

dannemca · ‎28 Jun 2023

Even I can't get the proper result anymore... gee. I sure, it worked yesterday, and I did used a specific MZ that contains only Windows boxes to avoid this "no \\ on result anyway".

😞

Site Reliability Engineer @ Kyndryl

ct_27 · ‎28 Jun 2023

This could be a bigger issue than i expected.......DT at some point in the past few weeks changed the way it detects drives. Instead of just local and mapped drives shows, DT now detects any drive your computer ever touched. That includes network drives that may be holding say your AD Profile. If that drive ever goes above a programmed threshold there is potential for DT to trigger an alert every time a machine accesses the drive which is over the threshold. Digging into this more to understand what Dynatrace has changed and what the potential risk and impact are.

HigherEd

ct_27 · ‎11 Jul 2023

Because the negate does not appear to work a co-worker approached the issue from the other direction. He's instead including most of the letter drives from A-Z.

builtin:host.disk.usedPct:filter(and(or(in("dt.entity.host",entitySelector("type(host),tag(~"DiskMonitor:Global~")"))),or(in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"I:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"Z:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"P:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"K:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"N:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"L:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"F:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"D:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"T:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"J:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"H:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"M:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"G:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"E:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"X:\~")")),in("dt.entity.disk",entitySelector("type(disk),entityName.equals(~"C:\~")"))))):splitBy("dt.entity.host","dt.entity.disk"):sort(value(auto,descending)):limit(100)

HigherEd

dannemca · ‎11 Jul 2023

Lucky you it is not the entire alphabet😅

Site Reliability Engineer @ Kyndryl

chris_oggeri · ‎11 Jul 2023

Hi,

It is weird that the solution provided by @dannemca is not working for you. I tried on my side and it seems to work as expected.

Anyway, for your last query, maybe something like this could be easier to read/modify?

builtin:host.disk.usedPct:filter(and(or(in("dt.entity.host",entitySelector("type(host),tag(~"DiskMonitor:Global~")"))),or(in("dt.entity.disk",entitySelector("type(disk),entityName.in(~"I:\~",~"Z:\~",~"P:\~",~"K:\~",~"N:\~",~"L:\~",~"F:\~",~"D:\~",~"T:\~",~"J:\~",~"H:\~",~"M:\~",~"G:\~",~"E:\~",~"X:\~",~"C:\~")"))))):splitBy("dt.entity.host","dt.entity.disk"):sort(value(auto,descending)):limit(100)

or even

builtin:host.disk.usedPct:filter(and(or(in("dt.entity.host",entitySelector("type(host),tag(~"DiskMonitor:Global~")"))),or(in("dt.entity.disk",entitySelector("type(disk),entityName.contains(~":\~")"))))):splitBy("dt.entity.host","dt.entity.disk"):sort(value(auto,descending)):limit(100)

ct_27 · ‎12 Jul 2023

Thank you, I merged what you had along with what @dannemca provided and ended up with the below. I agree what Dan provided should have 100% worked and it does 99%. I think there is a bug in DT because of the 1,000 results I get in a table I have just one drive that seems to squeeze in that starts with \\. It makes no sense.

Ultimately we landed here which is a merger of all the suggestions.

builtin:host.disk.usedPct:filter(
and(
	or(
	in("dt.entity.host",entitySelector("type(host),tag(~"DiskMonitor:Global~")"))
	),
	or(
not(in("dt.entity.disk",entitySelector("type(disk),entityName.contains(~"\\~")")))
	),
	or(
not(in("dt.entity.disk",entitySelector("type(disk),entityName.contains(~"~/~")")))
	)
)
):splitBy("dt.entity.host","dt.entity.disk"):sort(value(auto,descending)):limit(100)

Once things cleared up we then started to see more drives with '/root' showing up so we added that to the query. We did try not(in("dt.entity.disk",entitySelector("type(disk),entityName.in(~"\\~",~"/~")"))) but got bad results.

I am thankful to all of you for helping provide a solution.

HigherEd