put cluster in maintenance mode
$SPLUNK_HOME/bin/splunk enable maintenance-mode
rolling restart
$SPLUNK_HOME/bin/splunk enable maintenance-mode
rolling restart
splunk rolling-restart cluster-peers
Daily License volume by host
index=_internal source=*license_usage.log type=Usage | stats sum(b) as bytes by h | eval MB = round(bytes/1024/1024,1) | fields h MB | rename h as host
Find AD account lockout status in Splunk
EventCode=4740 Account_Name=<account name>