Re: issues with splunk app for active directory

freeborn · ‎07-05-2012

I cant seem to run any reports within the splunk app for active directory.

For instance if I run user logon failures i get "Lookup table 'HostInfo' is empty."

Administrator audit: I get Lookup table 'HostInfo' is empty. and Lookup table 'tSessions' is empty.

Any help is appreciated since I am trying to set this up to present prior to purchasing.

eljaybee · ‎02-14-2014

I'm getting the same issue as stating in this post. Can someone help me?

kelvinlow · ‎10-01-2012

hi, I'm getting the same error too but no solution yet. Could anyone share?

ahall_splunk · ‎10-02-2012

Please open up a new issue / answers - your situation may be different. Don't forget to include what version of the app you are running, what version of windows, what version of splunk, etc.

lfcowart · ‎09-04-2012

Adrian, was there a solution to this problem? I am also having the same issue. I did verify also that my auditing matches the documentation.

ahall_splunk · ‎09-05-2012

I have yet to be involved in this particular request.

ahall_splunk · ‎07-05-2012

The tHostInfo and tSessions tables are generated by saved searches that run on a five minute schedule. There are a couple of reasons why they would not be shown:

You have not turned on Audit on all your domains as described in the setup documentation
You are running Admin Audit with a search period that is less than five minutes
You have a more complex environment and your saved searches are not generating the files in the right place (unlikely if you are using the free version - this is more common in complex multi-search-head environments)
For some reason, the saved search is not firing (also uncommon)

I suspect #1 is the culprit. If you don't enable audit, then successful logons don't get recorded, and the tSessions and tHostInfo look ups will be empty as a result of no events.

ahall_splunk · ‎07-09-2012

Get in touch with your Splunk sales team and ask them to get me involved. We'll get something sorted.

freeborn · ‎07-09-2012

Ahall_splunk...if you would like to have a look at my install...let me know. Our temp license runs to July 20th and I am trying to prove a POC to purchase.

ahall_splunk · ‎07-05-2012

I've just had another report of the tHostInfo table being broken, and I am investigating. It doesn't happen on my system, so any information you can provide on your AD environment would be appreciated.

freeborn · ‎07-05-2012

- I did and I have confirmed
not sure what you mean (trying my search for a 24hr period if thats what you mean)
not the case
Possible this is it but I dont know how to verify

Thanks in advance

issues with splunk app for active directory

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation