- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
issues with splunk app for active directory
I cant seem to run any reports within the splunk app for active directory.
For instance if I run user logon failures i get "Lookup table 'HostInfo' is empty."
Administrator audit: I get Lookup table 'HostInfo' is empty. and Lookup table 'tSessions' is empty.
Any help is appreciated since I am trying to set this up to present prior to purchasing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm getting the same issue as stating in this post. Can someone help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, I'm getting the same error too but no solution yet. Could anyone share?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please open up a new issue / answers - your situation may be different. Don't forget to include what version of the app you are running, what version of windows, what version of splunk, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adrian, was there a solution to this problem? I am also having the same issue. I did verify also that my auditing matches the documentation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have yet to be involved in this particular request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tHostInfo and tSessions tables are generated by saved searches that run on a five minute schedule. There are a couple of reasons why they would not be shown:
- You have not turned on Audit on all your domains as described in the setup documentation
- You are running Admin Audit with a search period that is less than five minutes
- You have a more complex environment and your saved searches are not generating the files in the right place (unlikely if you are using the free version - this is more common in complex multi-search-head environments)
- For some reason, the saved search is not firing (also uncommon)
I suspect #1 is the culprit. If you don't enable audit, then successful logons don't get recorded, and the tSessions and tHostInfo look ups will be empty as a result of no events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get in touch with your Splunk sales team and ask them to get me involved. We'll get something sorted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahall_splunk...if you would like to have a look at my install...let me know. Our temp license runs to July 20th and I am trying to prove a POC to purchase.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've just had another report of the tHostInfo table being broken, and I am investigating. It doesn't happen on my system, so any information you can provide on your AD environment would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- - I did and I have confirmed
- not sure what you mean (trying my search for a 24hr period if thats what you mean)
- not the case
- Possible this is it but I dont know how to verify
Thanks in advance