Splunk ITSI

Splunk IT Service Intelligence: Why am I getting datamodel search error "Unable to find tag oshost and tag performance"

nravichandran
Communicator
| datamodel Host_OS CPU search | `aggregate_raw_into_service(avg, Performance.CPU.cpu_load_percent)` | `assess_severity(ac600b7a-5db7-49b9-a3b6-1535c31d7826, d307e18cac4d171a0539a07c, true, true)` | eval kpi="WebService KPI 18", urgency="5", alert_period="5"

I have installed the Splunk IT Service Intelligence 2.1.0. When I am in the service editor to create KPI for CPU, I choose the KPI source as datamodel. Datamodel - HostOperatingSystem -CPU-cpu_load_percent. But when I click on the generated search, I get the "yellow" with the following messages:

The specified search will not match any events
unable to find tag oshost
unable to find tag performance

Am I missing any steps on the installation? It seems Tags are missing. How to correct it? Any help is appreciated.

Thank you
Ravichandran

1 Solution

lsnow_splunk
Splunk Employee
Splunk Employee

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

View solution in original post

0 Karma

lsnow_splunk
Splunk Employee
Splunk Employee

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

0 Karma

nravichandran
Communicator

Thank you!. Is there a way to download/update to latest version? Can you please provide me the link?

0 Karma

lsnow_splunk
Splunk Employee
Splunk Employee

If you don't see a download link on the app base (https://splunkbase.splunk.com/app/1841/ ), then you might need to contact support or your sales rep. Good luck!

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...