All Apps and Add-ons

Lookup table 'HostInfo' and 'tSessions' is empty?


I am trying to use Splunk App for Active Directory
I have many features of the App working, however most of the searches under the Security tab fail, and all of the searches under the Change Mgmt tab fail.

Security > Audit > Computer Audit produces the following errors:
[subsearch]: No matching fields exist
Lookup table 'HostInfo' is empty.
No matching fields exist

Change Mgmt > User Record Changes produces the following errors:
No matching fields exist
Lookup table 'tSessions' is empty.
Lookup table 'HostInfo' is empty.

I believe I have SA-ldapsearch configured correctly.
Security > Reports > Computer Accounts > Computers: All
Works great and without error.

Per this post of someone previously with the same error:

1) I have created the Audit GPO as detailed in the installation manual and assigned it to all of my domains
2) I have been attempting these searches with a time frame of last 7 days
3) My environment is not very complex

My central index is running:
Splunk Version 6.0.2
Splunk Build 196940
Splunk App for Active Directory 1.2.2
Server OS: Windows 7 Professional SP1 64bit

Thank you in advance!

0 Karma


I know this is a little old, but I found this while having the same issue.

I ended up fixing it by going into lookup definitions under settings->lookups and disabling/re-enabling the lookup.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...