Splunk IT Service Intelligence

Splunk IT Service Intelligence: Why am I getting datamodel search error "Unable to find tag oshost and tag performance"

Communicator
| datamodel Host_OS CPU search | `aggregate_raw_into_service(avg, Performance.CPU.cpu_load_percent)` | `assess_severity(ac600b7a-5db7-49b9-a3b6-1535c31d7826, d307e18cac4d171a0539a07c, true, true)` | eval kpi="WebService KPI 18", urgency="5", alert_period="5"

I have installed the Splunk IT Service Intelligence 2.1.0. When I am in the service editor to create KPI for CPU, I choose the KPI source as datamodel. Datamodel - HostOperatingSystem -CPU-cpuloadpercent. But when I click on the generated search, I get the "yellow" with the following messages:

The specified search will not match any events
unable to find tag oshost
unable to find tag performance

Am I missing any steps on the installation? It seems Tags are missing. How to correct it? Any help is appreciated.

Thank you
Ravichandran

1 Solution

Splunk Employee
Splunk Employee

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

View solution in original post

0 Karma

Communicator

Thank you!. Is there a way to download/update to latest version? Can you please provide me the link?

0 Karma

Splunk Employee
Splunk Employee

If you don't see a download link on the app base (https://splunkbase.splunk.com/app/1841/ ), then you might need to contact support or your sales rep. Good luck!

0 Karma