Tony Reinke’s Talk at .conf2014

This year at Splunk’s annual conference, .conf2014, I was able to speak on Splunk User Groups.  The name of the talk was “How to Make New Friends (and Advance Your Career) by Starting Your Own Splunk User Group”.  I enjoyed giving the talk.  I have since been able to talk to other Splunk User Group leaders and people wanting to start their own User Group.

Below are the updated slides to the talk I gave.

1. Slide1  2.Slide2  3.Slide3
4. Slide4  5.Slide5 6. Slide6
 7.Slide7 8. Slide8  9.Slide9
10. Slide10 11. Slide11 12. Slide12
13. Slide13 14. Slide14 15. Slide15
16. Slide16 17. Slide17 18. Slide18
19. Slide19 20. Slide20 21. Slide21
22. Slide22 23. Slide23 24. Slide24
25. Slide25 26. Slide26 27. Slide27
28. Slide28 29. Slide29 30. Slide30
31. Slide31 32. Slide32 33. Slide33
34. Slide34 35. Slide35 36. Slide36
37. Slide37 38. Slide38 39. Slide39
40. Slide40 41. Slide41 42. Slide42

Our group is around 100 people in the mail list and average around 15 per meeting.  We have had a high of 34 people.  We typically meet every other month.  Since I cover the eastern part of Nebraska, I go between Lincoln and Omaha for each meeting.  Lincoln and Omaha are about an hour drive from each other.  Some people don’t want to make the drive.  This provides everyone a chance to get to a meeting.  Below is a typical meeting:

6:00 pm – Say hello and suggest everyone get some food  and something to drink
6:15 pm – Start the meeting with a  quick hello, where the bathrooms are, safety items (if needed), and go over what we are planning for the day.
6:25 pm – Introduce the company that is hosting the event.  Give a quick thanks to them and invite someone from their group to show off how they use Splunk.  This gives everyone a chance to brag on their Splunk use case and lets everyone attend hear a different way Splunk is being used or see a cool new dashboard.  People are then encouraged to ask questions either about how they did something or about the company.
6:55 pm – Thank the speaker, invite people to take a minute to refill their drinks, get more food, or use the facilities.
7:00 pm – Introduce the featured speaker for the night.  This could be a Splunk employee in person or via WebEx, one of our Splunk partners, or myself showing or teaching something.  Some examples are I showed installing Splunk from a fresh linux install, Jeff Blake has shown building your first dashboard, Bert Hayes showing capturing t-shark data in to Splunk to catch a hacker, or on WebEx we got a demo of Splunk Cloud.  This is the main focus of the meeting.  We want to be able to teach our group more Splunk so they go back excited.
7:45 pm – Ask for general questions or ideas for the next meeting.
7:50 pm – General Networking

All of the times listed there are floating.  If during the host company’s talk there is a lot of questions, we slide thing down.  We try to reserve the meeting spaces we get until 9:00 pm so there is plenty of time to network or asking questions.  As far as food, we normally get pizza.  It is easy and quick.  We have had events where it was self-serve buffet style.  We normally have a mix of a soda/pop and beer for drinks.  Alcohol is depended on the host companies willingness to allow alcohol.

For getting the message out about your meeting, Rachel Perkins is great about helping get the food, drinks, and venue paid for (if needed).  To get your event listed on the Splunk “Where We’ll Be Next” page, email and they will take care of it.  Most people have been using MeetUp ( to do the sign up for the meeting.  This will help you get an idea for the number of people that might show up to the event.  A lot of the model for our group is a combination of hacker user groups I have attended in the past.  It has been very helpful that Continuum (, our local Splunk partner,  has been so giving.  They help promote it and get their customers to the group.  Not having a Splunk employee in Nebraska, we have had to get creative.

License Usage by Host

This search will show you what hosts used how much of your license.  This is helpful in finding what system is eating away at your license.  I have used this before when we went over our daily license limit to find the system generating the extra data.

index=_internal source=*license_usage.log type=Usage | stats sum(b) as bytes by h | eval MBytes=bytes/1024/1024 | eval GBytes=bytes/1024/1024/1024 | addcoltotals | fillnull value="Total" h | table h,bytes,MBytes,GBytes | sort -GBytes

Click image below to see an example:
License by Host Graph


Our provider,, has suffered a massive outage.  We have stood up new site on our new provider,, and are working to restore the data.  We hope to get all our old posts and themes back.