January 2015 Meeting

The January 2015 user group meeting will be at the First Data offices in Omaha, NE.  We will be meeting at 6pm on January 28th.

Register for in person tickets and online viewing tickets at:

Watch Live on YouTube:

Schedule of Events:

6:00pm – Start Meeting, Introductions and Welcomes

6:15pm – How First Data using Splunk – Patrick Swartz of First Data will show us how First Data is currently using Splunk.

6:45pm – Getting your data in to Splunk – Mike Mizener of Continuum Security Solutions will teach us about getting our data in to Splunk.  Learn just what all the .conf files do and why they are there.

7:30pm – Violin Memory – Philip Wieczorek will be joining us to talk about Violin Memory and how their products can help you with your Splunk instances.

8:30pm – Networking

Splunk .conf2014 Downloads

With Splunk’s .conf2014 wrapped up, they have release the content of the conference.  Below is the recorded keynote address from Godfrey Sullivan, Chairman and CEO of Splunk.  Godfrey is joined by  Snehal Antani, CIO of GE Capital, Michael Connor, Senior Platform Architect of The Coca-Cola Company, and Lee Congdon, Vice President and CIO of Red Hat.

Splunk also makes most of the sessions available for downloading/viewing.  You can download PDFs and videos from most sessions at:

November Meeting – Conference Wrap Up

Hello Splunkers!

I am so excited to a announce that Clint Sharp (@clintsharp) will be virtually attending our meeting. Clint is the Director of Product Management, Big Data, and Operational Intelligence at Splunk. He has been at Splunk for almost 3 years. Clint will be going over the new features in Splunk 6.2.

The meeting is still on the University of Nebraska – Lincoln City Campus. We have been upgraded to Brace Hall. Brace Hall is in the Brace Laboratory which is south of Memorial Stadium.

Register for the event at:

New Location:

Brace Laboratory
Rm. 308 in Brace Hall
510 Stadium Drive
Lincoln, NE 68508

Google Map of Brace Laboratory:

Best parking option would be the Stadium Parking Garage near the SW corner of the stadium (Stadium Drive and T Street) . There are also meters along the parking garage, and on the street south of the stadium. Meters are enforced until 7:30 PM.

Please join us for the Lincoln/Omaha Local Splunk User Group in Lincoln, NE and learn how more than 7,000 companies, government agencies and service providers are currently using Splunk. Whether you are getting started, creating intelligent searches/alerts or building complex dashboards, this group is for you. Meet other Splunk users and get tips to make you more successful.

If you have ideas or questions, please let us know. We can be contacted through the website (http://www.splunk402.com/contact-us/), through email (contact@splunk402.com), or you can call Tony Reinke at 402-323-4124.

Meeting Info

University of Nebraska – Lincoln
Our meeting this month will be hosted at the University of Nebraska Lincoln in Brace Laboratory. Make sure to register so we know the size of the room we need.

Date and Time:
November 5th, 2014 at 6pm

Brace Laboratory
Rm. 308 in Brace hall
510 Stadium Drive
Lincoln, NE 68508

Register for the event at:


Splunk 6.2
Splunk released Splunk 6.2 on October 28. This update is focused on helping make the experience easier. Clint Sharp from Splunk will be talking about this during our meeting. You can read about the release at http://www.splunk.com/view/SP-CAAANNC.

University of Nebraska – Lincoln
Dan Buser from University of Nebraska – Lincoln will be showing how the UNL is using Splunk in their environment.

User Experiences at .conf2014
Splunk’s annual .conf2014 was October 6th to October 9th. Listen as members of Splunk402 recount their .conf2014 experiences.

Tony Reinke’s Talk at .conf2014

This year at Splunk’s annual conference, .conf2014, I was able to speak on Splunk User Groups.  The name of the talk was “How to Make New Friends (and Advance Your Career) by Starting Your Own Splunk User Group”.  I enjoyed giving the talk.  I have since been able to talk to other Splunk User Group leaders and people wanting to start their own User Group.

Below are the updated slides to the talk I gave.

1. Slide1  2.Slide2  3.Slide3
4. Slide4  5.Slide5 6. Slide6
 7.Slide7 8. Slide8  9.Slide9
10. Slide10 11. Slide11 12. Slide12
13. Slide13 14. Slide14 15. Slide15
16. Slide16 17. Slide17 18. Slide18
19. Slide19 20. Slide20 21. Slide21
22. Slide22 23. Slide23 24. Slide24
25. Slide25 26. Slide26 27. Slide27
28. Slide28 29. Slide29 30. Slide30
31. Slide31 32. Slide32 33. Slide33
34. Slide34 35. Slide35 36. Slide36
37. Slide37 38. Slide38 39. Slide39
40. Slide40 41. Slide41 42. Slide42

Our group is around 100 people in the mail list and average around 15 per meeting.  We have had a high of 34 people.  We typically meet every other month.  Since I cover the eastern part of Nebraska, I go between Lincoln and Omaha for each meeting.  Lincoln and Omaha are about an hour drive from each other.  Some people don’t want to make the drive.  This provides everyone a chance to get to a meeting.  Below is a typical meeting:

6:00 pm – Say hello and suggest everyone get some food  and something to drink
6:15 pm – Start the meeting with a  quick hello, where the bathrooms are, safety items (if needed), and go over what we are planning for the day.
6:25 pm – Introduce the company that is hosting the event.  Give a quick thanks to them and invite someone from their group to show off how they use Splunk.  This gives everyone a chance to brag on their Splunk use case and lets everyone attend hear a different way Splunk is being used or see a cool new dashboard.  People are then encouraged to ask questions either about how they did something or about the company.
6:55 pm – Thank the speaker, invite people to take a minute to refill their drinks, get more food, or use the facilities.
7:00 pm – Introduce the featured speaker for the night.  This could be a Splunk employee in person or via WebEx, one of our Splunk partners, or myself showing or teaching something.  Some examples are I showed installing Splunk from a fresh linux install, Jeff Blake has shown building your first dashboard, Bert Hayes showing capturing t-shark data in to Splunk to catch a hacker, or on WebEx we got a demo of Splunk Cloud.  This is the main focus of the meeting.  We want to be able to teach our group more Splunk so they go back excited.
7:45 pm – Ask for general questions or ideas for the next meeting.
7:50 pm – General Networking

All of the times listed there are floating.  If during the host company’s talk there is a lot of questions, we slide thing down.  We try to reserve the meeting spaces we get until 9:00 pm so there is plenty of time to network or asking questions.  As far as food, we normally get pizza.  It is easy and quick.  We have had events where it was self-serve buffet style.  We normally have a mix of a soda/pop and beer for drinks.  Alcohol is depended on the host companies willingness to allow alcohol.

For getting the message out about your meeting, Rachel Perkins is great about helping get the food, drinks, and venue paid for (if needed).  To get your event listed on the Splunk “Where We’ll Be Next” page, email community@splunk.com and they will take care of it.  Most people have been using MeetUp (http://www.meetup.com/splunk/) to do the sign up for the meeting.  This will help you get an idea for the number of people that might show up to the event.  A lot of the model for our group is a combination of hacker user groups I have attended in the past.  It has been very helpful that Continuum (http://www.cwcsecurity.com/), our local Splunk partner,  has been so giving.  They help promote it and get their customers to the group.  Not having a Splunk employee in Nebraska, we have had to get creative.

License Usage by Host

This search will show you what hosts used how much of your license.  This is helpful in finding what system is eating away at your license.  I have used this before when we went over our daily license limit to find the system generating the extra data.

index=_internal source=*license_usage.log type=Usage | stats sum(b) as bytes by h | eval MBytes=bytes/1024/1024 | eval GBytes=bytes/1024/1024/1024 | addcoltotals | fillnull value="Total" h | table h,bytes,MBytes,GBytes | sort -GBytes

Click image below to see an example:
License by Host Graph