Investigating storage, disks and volumes

Disk

The term disk refers to the physical storage device of a computer. However, there are instances where it can represent a logical disk, which spans across one or more physical disks. For example, with a redundant array of independent disks (RAID) configuration, you combine multiple physical disks to form a single logical disk, providing increased performance, redundancy or both.

Windows

In the Disk Management application, the system calls physical drives disks and labels them as Disk 0, Disk 1, ... Under This PC, the system assigns these storage devices drive letters (C:, D:, ...).

These devices can vary in type, including local disks, USB drives or virtual disks.

macOS

In the Disk Utility application, the system calls physical drives media and they appear as top-level entries. The system classifies them as internal or external and labels them as disk0, disk1, ...

Using the diskutil list command, you can display all devices as /dev/disk0, /dev/disk1, ...

Volume

Volume refers to a storage unit within a disk that organizes and manages data. It functions as a logical partition and can be formatted with a file system, allowing users to store and access files. Although a single disk can contain multiple volumes, each volume operates independently, providing additional flexibility and organization to the storage system.

Windows

On Windows, in the Disk Management application, the system lists volumes under Volume.

macOS

In the Disk Utility application, the system displays volumes under the media they belong to.

Using the diskutil list command in macOS shows volumes beneath their respective disk drives, with identifiers like /dev/disk0s1, /dev/disk0s2, ...

NQL examples

List the system drive (volume/partition) free space on devices.

devices during past 7d
| include volumes 
| where system == true 
| compute system_drive_free_space = capacity.sum() * (1 - usage.sum()) 
| list device.name, system_drive_free_space

List the system drive usage on devices.

devices during past 7d 
| include device_performance.events during past 7d 
| compute system_drive_used = event.system_drive_usage.avg() 
| list device.name, system_drive_used 
| sort system_drive_used desc

List devices with less than 5GB available on the system drive.

devices during past 7d
| include volumes 
| where system == true 
| compute system_drive_free_space = capacity.sum() * (1 - usage.sum()) 
| where system_drive_free_space < 5GB 
| list device.name, system_drive_free_space

List a summary of the disks and volume of devices.

devices during past 7d 
| list device.name, disks, volumes

List all disks from all devices with their size, bootable status and type (SSD or HDD).

disks during past 7d
| list device.name, name, is_bootable, capacity , type

Working with custom fields

If you use a specific NQL query often, consider creating a custom field.

Find more information about custom fields on the Custom fields management page.

Using a custom field in an NQL query to list devices with less than 5GB available on the system drive.

devices 
| where #system_drive_free_space < 5GB 
| list device.name, #system_drive_free_space

Last updated 5 months ago

devices during past 7d | include device_performance.events during past 7d | compute system_drive_used = event.system_drive_usage.avg() | list device.name, system_drive_used | sort system_drive_used desc