Hello,
I am trying to use Splunk App for Active Directory
I have many features of the App working, however most of the searches under the Security tab fail, and all of the searches under the Change Mgmt tab fail.
Security > Audit > Computer Audit produces the following errors:
[subsearch]: No matching fields exist
Lookup table 'HostInfo' is empty.
No matching fields exist
Change Mgmt > User Record Changes produces the following errors:
No matching fields exist
Lookup table 'tSessions' is empty.
Lookup table 'HostInfo' is empty.
I believe I have SA-ldapsearch configured correctly.
Security > Reports > Computer Accounts > Computers: All
Works great and without error.
Per this post of someone previously with the same error:
http://answers.splunk.com/answers/52299/issues-with-splunk-app-for-active-directory/52308
1) I have created the Audit GPO as detailed in the installation manual and assigned it to all of my domains
2) I have been attempting these searches with a time frame of last 7 days
3) My environment is not very complex
My central index is running:
Splunk Version 6.0.2
Splunk Build 196940
Splunk App for Active Directory 1.2.2
Server OS: Windows 7 Professional SP1 64bit
Thank you in advance!
I know this is a little old, but I found this while having the same issue.
I ended up fixing it by going into lookup definitions under settings->lookups and disabling/re-enabling the lookup.