Approved

Live Discover Query - Show the % free disk space

  REVIEWED by Sophos 

Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have.

You can use this to monitor the devices under management to determine if you should go in and clean stuff up or not.

SELECT
   device_id Drive,
   description,
   boot_partition,
   file_system,
   printf("%.2f", (CAST (free_space AS FLOAT)/CAST(size AS FLOAT) ) * 100.0 ) || '%' Percent_Free,
   printf("%.2f", CAST(free_space AS FLOAT)/1024.0/1024.0/1024.0) 'Free_Space(GB)',
   printf("%.2f", CAST(size AS FLOAT)/1024.0/1024.0/1024.0) 'Size(GB)',
   type
FROM
   logical_drives;

  • /cfs-file/__key/commentfiles/fb5d84b10a5745448a7a45dafc1faa43-a0429c53-6ab6-42ab-8a95-e433b228d832/pastedimage1592590193812v1.png REVIEWED by Sophos  Here's one for better operating systems (Linux). SELECT    path AS Mount_Point,    type AS FileSystem,    printf("%.2f", (blocks_available * blocks_size *10e-10) ) AS "Free_Space(GB)",    printf("%.2f", (blocks * blocks_size *10e-10) ) AS "Size(GB)" FROM    mounts WHERE    path='/';   Happens to also work on Mac, but I wouldn't class that as a better OS :P
  • Yes, most of the query will happen in memory, but we will generate log files local to the device for activity and the query execution and processes involved are all being recorded into the Sophos Forensic Journals.  both the logs and journals have controls to prevent overflow and will automatically roll over ect.
  • This will be very useful, many thanks for providing the query. Do the temporary files created during the processing of queries locally get purged on completion? Looking in ProgramData\Sophos\Live Query\Queries it all looks pretty clean at the moment. Regards Andy.