5 Year Anniversary

Hello Everyone,

The day was Tuesday, February 26, in the year 2013.  A small group of us gathered at Charlie’s on the Lake for the first meeting of Splunk402.  Little did I know the journey I was in for.  Over the last 5 years, I have been able to meet so many great people and developed amazing friendships.  I have had the opportunity to represent Nebraska on an international stage at different events.

Since the first meeting 5 years ago, we have had some great meetings.  People have come and people have gone, but the spirit of the group has remained.  We are curious about technology and passionate about finding solutions to questions that have been asked and ones we didn’t know existed until we saw the data.

This group has been a shining light for Splunk.  The power of the user group in the fly over state that sits in the middle of the United States is astonishing.  I completely attribute this to the members of this group.  Without you, I would just be a person talking to myself about Splunk but you give me a voice to the community.  As a group, we continue to ask questions, give advice, and to push each other.

And for this, you deserve a party.  Please join me at the Beercade at 6104 Maple St, Omaha, NE 68104 on Thursday March 8th starting at 6pm for a celebration of the past 5 years.  We will provide the food, drinks, and video games.  Thank you for the memories and I look forward to the future with all of you.

Please register for the event at:


2018 Planning and Survey Results

Happy New Year to everyone out there.

We recently send out a survey to members of our user group to help understand what the group is looking for in this up coming year.   Thank you to everyone that took the survey.  Your opinions, thoughts, and suggestions help to shape the user group.

Question 1 is about topics for meetings.

Question 2, 3, 4 is about the meeting (type of meeting, day, time).

Question 5 is about activities that the group could do.

Question 6 is about the Splunk402 5-year party.

Question 7 is an open-ended question on what we can do better.

In 2018, what features of Splunk do you want to learn more about with Splunk?
Responses 22
Not Really Somewhat Yes Please Weighted Average
Building Dashboards 1 9 12 2.50
Splunk for Security 4 8 10 2.27
Machine Learning 5 6 11 2.27
ITSI 5 7 10 2.23
Getting Data in to Splunk 5 10 7 2.09
Splunk for IoT 7 7 8 2.05
What are the conf and what do they do? 6 9 7 2.05
Splunk for Cloud (AWS / Azure) 6 12 4 1.91
Common Information Model
all are great topics, honestly.

In which of these styles do you think would be best for you for the User Group?
Responses 22
No Thank You Sometimes Yes Please N/A Weighted Average
Lecture Style – Person(s) up front interacting with everyone 0 9 12 1 2.45
Large Group – Everyone together 2 11 8 1 2.18
Presentation – Listen to a presenter (in person / online) or watch something as a group 2 11 8 1 2.18
Small Group  – Small groups of people working interacting with each other 5 10 6 1 1.95
Networking – Less focused on the learning and more on the socializing aspect 5 12 4 1 1.86
N/A because I’ve never been to an event
i like networking for like a tiny portion, but not the whole meeting.

What time works best for you for the user group? (1 = Best for you, 5 = Worst for you)
Responses 22
1 2 3 4 5 Score
Lunch (Noon) 17 2 1 1 1 4.50
Late Afternoon (3pm) 1 11 4 5 1 3.27
After work (6 pm) 3 5 6 8 0 3.14
Breakfast (9am) 1 2 8 3 8 2.32
Evening (8pm) 0 2 3 5 12 1.77

What day of the week works best? (1 = Best for you, 5 = Worst for you)
Responses 22
1 2 3 4 5 6 7 Score
Tuesday 6 6 5 2 3 0 0 5.45
Wednesday 5 9 3 1 1 1 2 5.23
Thursday 5 4 5 3 2 2 1 4.86
Monday 3 1 4 9 5 0 0 4.45
Friday 2 0 4 5 9 1 1 3.82
Saturday 1 0 1 2 0 12 6 2.27
Sunday 0 2 0 0 2 6 12 1.91

If the User Group had an event in between meeting, please check any/all that you would want to attend.
Responses 17
Hack-a-thon (building dashboards/reports in a set timeframe) 10 59%
Boss of the SOC 9 53%
SPLing Bee 8 47%
Boss of the NOC 8 47%

We are coming up on our 5th year anniversary.  If we were to throw a party, where should we have it?
Responses 22
Not for me Maybe Yes Please Weighted Average
Beercade 3 7 12 2.41
Private room of a bar 2 11 9 2.32
Bowling Alley 5 12 5 2.00
Escape Rooms 7 11 4 1.86
Family Fun Center XL 9 12 1 1.64
private room at a bar only if the beer selection is on par with beercade
only answering not for me because I’ve never been to an event and would feel bad about taking advantage of a party

What can we do to help you and what can we do to make Splunk402 better?
Keep on truckin.
Another topic I’d be interested in seeing is perhaps a live demo, or a walk through of how best to setup SSL/TLS through an entire Splunk deployment. There is some good .conf presentations, but even a group discussion on what works, lessons learned, strategies, ongoing maintenance considerations, etc. might provide benefit to the group.
free beer
Meetings 4-6 times a year.
Keep on keeping on …
<comment redacted>

December 2017 Meeting

Happy Thanksgiving to everyone. I hope all of your phones stayed silent this holiday. We will be having our next meeting on December 12th from noon to 1:30pm at the Sirius Computer Solutions office in Omaha. We will be joined with the one and only Jason Hupka from Splunk (aka snooplog). Jason is part of the Splunk Community group and is the creator of the Splunk Bucket List. Come and learn more about Splunk Community, the Bucket List, and help shape the future of the Splunk Community by sharing your thoughts, opinions, and ideas with someone on the team.

We will be providing lunch for the event. As always, bring your problems and solutions to the meeting for our networking time. Share your knowledge, get some ideas, and learn from other members of the group.

Register for the event at: http://splk.site/402meeting

August 2017 Meeting Recap

Thank you to everyone that attended the August meeting.  It was a great turn out.  A big thank you to Sirius for hosting the meeting.

If you would like to get in touch with our guest speaker from the FBI, please email contact@splunk402.com and someone will get you in touch with him.  The Special Agents details will not be posted on the site.  It was great to be able to talk with the Special Agent and listen to his take on different topics.

Our next meeting will be October 25th, 2017 at noon at the Sirius office.  Registration detail are listed below.  Come and hear from people that attended .conf and learn about the exciting announcements that happened at the user’s conference.


Splunk’s .conf will be September 25-28, 2017 in Washington, DC.  There is still time to register.  If you are going, please make sure to let Tony Reinke, User Group Leader, or Patrick O’Conner from Sirius know to make sure any announcements for our group can be coordinated.

Register for the Next Event

We are excited to once again be at the offices of Sirius.  Their offices are at 14301 FNB Parkway, Suite 400, Omaha, NE 68154.

Date and Time:

October 25th, 2017 at Noon

Register for the event at:



12:00pm – Start Meeting and Introductions
12:15pm – What we learned at .conf2017
01:15pm – Wrap Up / Q&A / Networking

Future Meeting Topics

What topics should we work on in the upcoming/future user group meetings? Is there something you want to get hands on learning with? What are the topics you have thought to yourself “I wanted to try this but don’t want to risk breaking my environment”?  What different technologies have you wanted to learn more about and see how we can tie them in to Splunk?  We want to know what is on your mind.

We have already heard people asking us for more information on Splunk and Machine Learning Head Clustering, Examples of the HTTP Collector, and using/building APIs for Splunk.  We are working on helping to get topics on this for upcoming meetings.  We want to know what else is on your mind.

August 2017 Meeting

About the Meeting:

With security being in the new so much lately, we are featuring it front and center in this user group meeting. We will be joined by a Special Agent of the Omaha FBI. He will be talking about Cyber Security and the FBI.

We will be at the offices of our great partner Sirius (formerly Continuum) in Omaha. We will also have a film crew from Splunk on hand to film our user group. Splunk .conf2017 is just around the corner and this will be the last time we meet before conf. If you have questions about conf, please let us know or talk to us at the meeting.

Date and Time:

August 10th, 2017 at Noon


  12:00 PM Start Meeting, Grab Food, Introductions
  12:15 PM The FBI and Cyber Security
  01:15 PM General Discussion

Register for the Event
We are happy to be at the offices of Sirius this meeting. Their offices are at 14301 FNB Parkway, Suite 400, Omaha, NE 68154.

Register for the event at:

New User Group – Sioux Falls, SD

Are you in the Sioux Falls, South Dakota area? Are you a Splunk customer or want to learn more Splunk? We are starting up a Sioux Falls user group. No matter if you are just getting in to IT or been there for years, come and join us. This is a technical user group so you won’t have to sit and listen to sales people pitch at you. You will get to talk to other IT ninjas and gurus that love to tinker and play.


April 2017 Meeting Recap

User Group Meeting:

Thank you to everyone that came out to our meeting.  We had a great time learning about Splunk for AWS.  We also had a great discussion afterwards with many people sharing their experiences to help other members of the group.

The WebEx recording of Splunk for AWS is at:

PowerPoint (in PDF form) from the WebEx:
Splunk AWS Presentation

The marketing video for Splunk for AWS – Gain End-to-End AWS Visibility:

Survey Data:

From the data collect in the web survey, we will continue to have our meeting over lunch or after work.  During these meetings we will focus on technical solutions.  I will work to find ways for the meeting to be more interactive with more troubleshooting type of meetings.


  • Problems & Solutions; or a session to work through issues faced.
  • less sales, more tech details and app usage cases

April.2017 Meeting

The upcoming meeting is going to be light and fluffy. We will be talking about Clouds. To define that more, Amazon Web Services. Splunk and AWS have a great relationship. Many of us use AWS personally and professionally. Time to get that AWS data in to Splunk. We will go over setting up the App and then you will get a chance to have a Q&A with Laura.

We will be meeting at the AIM Exchange building (1905 Harney St, Omaha, NE 68102) over lunch. Hope to see everyone there.

Register for the event at:

Notes from November.2016 meeting

Thanks to everyone that came out to The Learning Academy for today’s meeting.  We had a great meeting with lots of discussion.

  • I brought up the idea of getting together at the beginning of December for a happy hour.  A couple people seemed interested.  I will send out an email to everyone in a few weeks to see who is interested.
  • Adam Tice with Splunk gave us an overview of what is new in Splunk 6.5
  • I showed building a rsyslog server and getting the logs in to Splunk
    • create sheet available below
  • The grouped talk about building your own dashboard by taking code from other application
    • Using other applications searches to build the dashboard of just want you want
    • Combining different dashboards in to a single dashboard
  • The group also talked to the students and each other about opportunities in security and specially in Splunk in the workforce


### Build your own rsyslog and send all the data to Splunk ###

In this test/demo environment I used three CentOS 7 machines on VMware Workstation.  This sheet is focusing on the rsyslog server machine and assumes that you have the client setup to forward syslog to the server and that the Splunk indexer is setup and set to receive Splunk data from a universal forwarder.


Splunk Indexer =
RSyslog Remote =
RSyslog Server =


## On the rsyslog server ##

# Make sure that we have the latest updates installed #
yum update -y

# Install the rsyslog and the documents for rsyslog
yum install rsyslog rsyslog-doc

# Edit the rsyslog config file
vi /etc/rsyslog.conf

# remove the comment (#) for the following lines:
$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514

# Add the firewall rules to accept the data from other machines / devices
firewall-cmd –zone=public –permanent –add-port=514/tcp
firewall-cmd –zone=public –permanent –add-port=514/udp
firewall-cmd –reload

# Restart the rsyslog service
systemctl restart rsyslog

# Check to make sure that the system is responding to the ports
netstat -antup | grep 514

# You should see something like the following:



# Now watch the log file (/var/log/messages) to see if you are getting syslog data from the remote machine
tail -f /var/log/messages

## On the rsyslog remote ##

# Setup / Verify that it is set up to send syslog to the rsyslog server
vi /etc/rsyslog.conf

# Typically it will look like the following:
*.* @remote-host:514

# Then we can write a message to the message file to be sent
logger -t Splunk402 Splunk Rules!

## On the rsyslog server ##

# You should see a message pop up like:
Nov 16 12:17:33 remotemachine01 Splunk402: Splunk Rules!

# Now we want to install the Splunk Universal Forwarder.  Go to https://www.splunk.com/en_us/download/universal-forwarder.html#tabs/linux and select .rpm version that is the same as the OS for you.  If you are not logged in to the site, you will need to login or sign up for an account.  Click on the “Download via Command Line (wget)” and get the wget code.
wget -O splunkforwarder-6.5.0-59c8927def0f-linux-2.6-x86_64.rpm ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.0&product=universalforwarder&filename=splunkforwarder-6.5.0-59c8927def0f-linux-2.6-x86_64.rpm&wget=true’

# Install Splunk with YUM
yum –nogpgcheck localinstall splunkforwarder-6.5.0-59c8927def0f-linux-2.6-x86_64.rpm

# Start Splunk accepting the license
/opt/splunkforwarder/bin/splunk start –accept-license

# Enable Splunk to start at boot
/opt/splunkforwarder/bin/splunk enable boot-start

# If you are not using a Deployment Server to set the output.conf file, edit the file to send the data to Splunk
vi /opt/splunkforwarder/etc/system/local/outputs.conf



# Have Splunk grab the data from the /var/log folder
vi /opt/splunkforwarder/etc/system/local/inputs.conf


# Depending on your needs, you may need to add which index to send to or other factors.  Please consult the docs for inputs.conf.

# Now we need to restart Splunk to have all of our settings go in to effect.
/opt/splunkforwarder/bin/splunk restart

## You should now see the logs in Splunk.  Happy Splunking! ##