Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk IT Service Intelligence: Why am I getting datamodel search error "Unable to find tag oshost and tag performance"

nravichandran
Communicator
‎06-06-2016 06:57 PM 
| datamodel Host_OS CPU search | `aggregate_raw_into_service(avg, Performance.CPU.cpu_load_percent)` | `assess_severity(ac600b7a-5db7-49b9-a3b6-1535c31d7826, d307e18cac4d171a0539a07c, true, true)` | eval kpi="WebService KPI 18", urgency="5", alert_period="5"

I have installed the Splunk IT Service Intelligence 2.1.0. When I am in the service editor to create KPI for CPU, I choose the KPI source as datamodel. Datamodel - HostOperatingSystem -CPU-cpu_load_percent. But when I click on the generated search, I get the "yellow" with the following messages:

The specified search will not match any events
unable to find tag oshost
unable to find tag performance

Am I missing any steps on the installation? It seems Tags are missing. How to correct it? Any help is appreciated.

Thank you
Ravichandran

Reply
1 Solution
Solved! Jump to solution
Solution

lsnow_splunk
Splunk Employee
Splunk Employee
‎06-07-2016 11:00 AM

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lsnow_splunk
Splunk Employee
Splunk Employee
‎06-07-2016 11:00 AM

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

0 Karma
Reply
Solved! Jump to solution

nravichandran
Communicator
‎06-07-2016 11:19 AM

Thank you!. Is there a way to download/update to latest version? Can you please provide me the link?

0 Karma
Reply
Solved! Jump to solution

lsnow_splunk
Splunk Employee
Splunk Employee
‎06-07-2016 11:25 AM

If you don't see a download link on the app base (https://splunkbase.splunk.com/app/1841/ ), then you might need to contact support or your sales rep. Good luck!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...