Lookup table 'HostInfo' and 'tSessions' is empty?

buchanaj · ‎03-24-2014

Hello,
I am trying to use Splunk App for Active Directory
I have many features of the App working, however most of the searches under the Security tab fail, and all of the searches under the Change Mgmt tab fail.

Security > Audit > Computer Audit produces the following errors:
[subsearch]: No matching fields exist
Lookup table 'HostInfo' is empty.
No matching fields exist

Change Mgmt > User Record Changes produces the following errors:
No matching fields exist
Lookup table 'tSessions' is empty.
Lookup table 'HostInfo' is empty.

I believe I have SA-ldapsearch configured correctly.
Security > Reports > Computer Accounts > Computers: All
Works great and without error.

Per this post of someone previously with the same error:

http://answers.splunk.com/answers/52299/issues-with-splunk-app-for-active-directory/52308

1) I have created the Audit GPO as detailed in the installation manual and assigned it to all of my domains
2) I have been attempting these searches with a time frame of last 7 days
3) My environment is not very complex

My central index is running:
Splunk Version 6.0.2
Splunk Build 196940
Splunk App for Active Directory 1.2.2
Server OS: Windows 7 Professional SP1 64bit

Thank you in advance!

hatbeard · ‎10-08-2014

I know this is a little old, but I found this while having the same issue.

I ended up fixing it by going into lookup definitions under settings->lookups and disabling/re-enabling the lookup.

Lookup table 'HostInfo' and 'tSessions' is empty?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases