I cant seem to run any reports within the splunk app for active directory.
For instance if I run user logon failures i get "Lookup table 'HostInfo' is empty."
Administrator audit: I get Lookup table 'HostInfo' is empty. and Lookup table 'tSessions' is empty.
Any help is appreciated since I am trying to set this up to present prior to purchasing.
I'm getting the same issue as stating in this post. Can someone help me?
hi, I'm getting the same error too but no solution yet. Could anyone share?
Please open up a new issue / answers - your situation may be different. Don't forget to include what version of the app you are running, what version of windows, what version of splunk, etc.
Adrian, was there a solution to this problem? I am also having the same issue. I did verify also that my auditing matches the documentation.
I have yet to be involved in this particular request.
The tHostInfo and tSessions tables are generated by saved searches that run on a five minute schedule. There are a couple of reasons why they would not be shown:
I suspect #1 is the culprit. If you don't enable audit, then successful logons don't get recorded, and the tSessions and tHostInfo look ups will be empty as a result of no events.
Get in touch with your Splunk sales team and ask them to get me involved. We'll get something sorted.
Ahall_splunk...if you would like to have a look at my install...let me know. Our temp license runs to July 20th and I am trying to prove a POC to purchase.
I've just had another report of the tHostInfo table being broken, and I am investigating. It doesn't happen on my system, so any information you can provide on your AD environment would be appreciated.
Thanks in advance