All Apps and Add-ons

issues with splunk app for active directory

freeborn
Explorer

I cant seem to run any reports within the splunk app for active directory.

For instance if I run user logon failures i get "Lookup table 'HostInfo' is empty."

Administrator audit: I get Lookup table 'HostInfo' is empty. and Lookup table 'tSessions' is empty.

Any help is appreciated since I am trying to set this up to present prior to purchasing.

0 Karma

eljaybee
Engager

I'm getting the same issue as stating in this post. Can someone help me?

0 Karma

kelvinlow
New Member

hi, I'm getting the same error too but no solution yet. Could anyone share?

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Please open up a new issue / answers - your situation may be different. Don't forget to include what version of the app you are running, what version of windows, what version of splunk, etc.

0 Karma

lfcowart
Path Finder

Adrian, was there a solution to this problem? I am also having the same issue. I did verify also that my auditing matches the documentation.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

I have yet to be involved in this particular request.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

The tHostInfo and tSessions tables are generated by saved searches that run on a five minute schedule. There are a couple of reasons why they would not be shown:

  1. You have not turned on Audit on all your domains as described in the setup documentation
  2. You are running Admin Audit with a search period that is less than five minutes
  3. You have a more complex environment and your saved searches are not generating the files in the right place (unlikely if you are using the free version - this is more common in complex multi-search-head environments)
  4. For some reason, the saved search is not firing (also uncommon)

I suspect #1 is the culprit. If you don't enable audit, then successful logons don't get recorded, and the tSessions and tHostInfo look ups will be empty as a result of no events.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Get in touch with your Splunk sales team and ask them to get me involved. We'll get something sorted.

0 Karma

freeborn
Explorer

Ahall_splunk...if you would like to have a look at my install...let me know. Our temp license runs to July 20th and I am trying to prove a POC to purchase.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

I've just had another report of the tHostInfo table being broken, and I am investigating. It doesn't happen on my system, so any information you can provide on your AD environment would be appreciated.

0 Karma

freeborn
Explorer
  1. - I did and I have confirmed
  2. not sure what you mean (trying my search for a 24hr period if thats what you mean)
  3. not the case
  4. Possible this is it but I dont know how to verify

Thanks in advance

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...