Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk IT Service Intelligence: Why am I getting datamodel search error "Unable to find tag oshost and tag performance"

nravichandran
Communicator
‎06-06-2016 06:57 PM 
| datamodel Host_OS CPU search | `aggregate_raw_into_service(avg, Performance.CPU.cpu_load_percent)` | `assess_severity(ac600b7a-5db7-49b9-a3b6-1535c31d7826, d307e18cac4d171a0539a07c, true, true)` | eval kpi="WebService KPI 18", urgency="5", alert_period="5"

I have installed the Splunk IT Service Intelligence 2.1.0. When I am in the service editor to create KPI for CPU, I choose the KPI source as datamodel. Datamodel - HostOperatingSystem -CPU-cpu_load_percent. But when I click on the generated search, I get the "yellow" with the following messages:

The specified search will not match any events
unable to find tag oshost
unable to find tag performance

Am I missing any steps on the installation? It seems Tags are missing. How to correct it? Any help is appreciated.

Thank you
Ravichandran

Reply
1 Solution
Solved! Jump to solution
Solution

lsnow_splunk
Splunk Employee
Splunk Employee
‎06-07-2016 11:00 AM

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lsnow_splunk
Splunk Employee
Splunk Employee
‎06-07-2016 11:00 AM

Hi, nravichandran,

To start with the basics: are you already gathering CPU data into Splunk? If so, are you using the latest version of the Splunk Add-Ons for Windows and/or *nix to gather that data? The Splunk add-ons should tag the data automatically. If you're gathering the data in another way, you may need to add tags to the data yourself in order to use the data models (see the docs on how to normalize your data to the Common Information Model). Alternatively, you could build your KPI using a search that doesn't use the data models that require the tags. You might want to look at updating ITSI to the latest version as well - KPI base searches were introduced in version 2.2, which let you share a search definition across multiple KPIs.

Hope this helps!

0 Karma
Reply
Solved! Jump to solution

nravichandran
Communicator
‎06-07-2016 11:19 AM

Thank you!. Is there a way to download/update to latest version? Can you please provide me the link?

0 Karma
Reply
Solved! Jump to solution

lsnow_splunk
Splunk Employee
Splunk Employee
‎06-07-2016 11:25 AM

If you don't see a download link on the app base (https://splunkbase.splunk.com/app/1841/ ), then you might need to contact support or your sales rep. Good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...