All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

issues with splunk app for active directory

freeborn
Explorer
‎07-05-2012 10:03 AM

I cant seem to run any reports within the splunk app for active directory.

For instance if I run user logon failures i get "Lookup table 'HostInfo' is empty."

Administrator audit: I get Lookup table 'HostInfo' is empty. and Lookup table 'tSessions' is empty.

Any help is appreciated since I am trying to set this up to present prior to purchasing.

0 Karma
Reply

eljaybee
Engager
‎02-14-2014 04:39 AM

I'm getting the same issue as stating in this post. Can someone help me?

0 Karma
Reply

kelvinlow
New Member
‎10-01-2012 11:15 PM

hi, I'm getting the same error too but no solution yet. Could anyone share?

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎10-02-2012 07:23 AM

Please open up a new issue / answers - your situation may be different. Don't forget to include what version of the app you are running, what version of windows, what version of splunk, etc.

0 Karma
Reply

lfcowart
Path Finder
‎09-04-2012 08:42 PM

Adrian, was there a solution to this problem? I am also having the same issue. I did verify also that my auditing matches the documentation.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎09-05-2012 09:20 AM

I have yet to be involved in this particular request.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎07-05-2012 11:32 AM

The tHostInfo and tSessions tables are generated by saved searches that run on a five minute schedule. There are a couple of reasons why they would not be shown:

  1. You have not turned on Audit on all your domains as described in the setup documentation
  2. You are running Admin Audit with a search period that is less than five minutes
  3. You have a more complex environment and your saved searches are not generating the files in the right place (unlikely if you are using the free version - this is more common in complex multi-search-head environments)
  4. For some reason, the saved search is not firing (also uncommon)

I suspect #1 is the culprit. If you don't enable audit, then successful logons don't get recorded, and the tSessions and tHostInfo look ups will be empty as a result of no events.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎07-09-2012 07:05 AM

Get in touch with your Splunk sales team and ask them to get me involved. We'll get something sorted.

0 Karma
Reply

freeborn
Explorer
‎07-09-2012 06:56 AM

Ahall_splunk...if you would like to have a look at my install...let me know. Our temp license runs to July 20th and I am trying to prove a POC to purchase.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎07-05-2012 12:02 PM

I've just had another report of the tHostInfo table being broken, and I am investigating. It doesn't happen on my system, so any information you can provide on your AD environment would be appreciated.

0 Karma
Reply

freeborn
Explorer
‎07-05-2012 11:37 AM
  1. - I did and I have confirmed
  2. not sure what you mean (trying my search for a 24hr period if thats what you mean)
  3. not the case
  4. Possible this is it but I dont know how to verify

Thanks in advance

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...