Did the way os_disk_configuration_freespace_all in an alert change recently? I have this alert setup to look at _devices
Is it not looking for bytes here anymore but GB or something and I’m getting every device in my org to report back?
How am I supposed to know which computers here are alerting or what is the point of even sending me this alert to begin with if I can’t figure out which computers are throwing the alert to begin with.
that is an issue I was having, cause of how the table was reporting. I had to create my own table with a script to gather my data. I think that table updates once a minute or so, so if you alerts per time frame and re run were not right it would do that.
“`# Set output encoding to ensure non-ASCII characters are captured
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
$logicalDisks = Get-CimInstance -ClassName Win32_LogicalDisk -Filter "DriveType=3" | Where-Object { $_.Size -ne $NULL }
# Create an array to store the results
$results = @()
# Iterate over each logical disk and calculate the required metrics
foreach ($disk in $logicalDisks) {
$totalSpaceBytes = $disk.Size
$freeSpaceBytes = $disk.FreeSpace
$usedSpaceBytes = $totalSpaceBytes – $freeSpaceBytes
$totalSpaceGB = [math]::Round($totalSpaceBytes / 1GB, 2)
$usedSpaceGB = [math]::Round($usedSpaceBytes / 1GB, 2)
$freeSpaceGB = [math]::Round($freeSpaceBytes / 1GB, 2)
$percentAvailable = [math]::Round(($freeSpaceBytes / $totalSpaceBytes) * 100, 2)
# Add the result to the array
$results += [PSCustomObject]@{
DriveLetter = $disk.DeviceID
VolumeName = $disk.VolumeName
TotalSpaceGB = $totalSpaceGB
UsedSpaceGB = $usedSpaceGB
FreeSpaceGB = $freeSpaceGB
PercentAvailable = $percentAvailable
Write-Output("### SIP DATA BEGINS ###")
Write-Output $results | ConvertTo-Json
Write-Output("### SIP DATA ENDS ###")
Write-Output("### SIP EVENT BEGINS ###")
Write-Output "$($_.exception.message)"
Write-Output("### SIP EVENT ENDS ###")
Thanks for the script that is awesome. I may end up having to do the same thing.
My retrigger delay is set to 12 hours.
I set the number of hits from 5 to 25.
Changed the time window.
Deleted and readded the alert.
I just can’t figure out what is going on with it all of a sudden.
When I looked at the _Device data index the last hour or so, there were only a handful of computers that matched the criteria. Just bizarre.
