Hello, my first question! I am a newish Splunk employee, writing a story to describe how a customer might use Splunk to meet a compliance issue. I can use any type of data or faux data in the example, my goal is to write the logic in a way that would help others enact the same logic to solve the same problem.
Problem:
How does the customer "look for nothing" over a year and get a list of those who did take 14 days with no login or other activity on any system, and those who did not?
And is there a way to drill down to see which systems were accessed if there was noticeably less activity in the 14 day period but it was only a certain system?
Thanks in advance, I know this is a "newbie" level question.
Something like:
sourcetype=logins_to_systems
| streamstats global=f window=2 current=t
earliest(_time) as previous_login_time
latest(_time) as current_login_time
by userid
| eval time_between_logins=current_login_time - previous_login_time
| stats max(time_between_logins) as longest_break by userid
| where longest_break < (14*24*60*60)
can give you a list of users who never had more than a 14-day break between logins. This gets you one answer, but it's not terribly generalizable to other reporting requirements and drilldowns you might have, e.g., looking for periods where activity was lower or the number of systems was lower. It would probably be useful to use:
sourcetype=logins_to_systems userid="a_specific_userid"
| timechart span=1d count by system_accessed
as a sort of drilldown from the previous search. Now, if you want to just see which users might have logged in less, the classic:
sourcetype=logins_to_systems
| timechart span=1d count by user
to start with might be useful, followed up with the drilldown to see what systems in particular were touched by a specific user.
Something like:
sourcetype=logins_to_systems
| streamstats global=f window=2 current=t
earliest(_time) as previous_login_time
latest(_time) as current_login_time
by userid
| eval time_between_logins=current_login_time - previous_login_time
| stats max(time_between_logins) as longest_break by userid
| where longest_break < (14*24*60*60)
can give you a list of users who never had more than a 14-day break between logins. This gets you one answer, but it's not terribly generalizable to other reporting requirements and drilldowns you might have, e.g., looking for periods where activity was lower or the number of systems was lower. It would probably be useful to use:
sourcetype=logins_to_systems userid="a_specific_userid"
| timechart span=1d count by system_accessed
as a sort of drilldown from the previous search. Now, if you want to just see which users might have logged in less, the classic:
sourcetype=logins_to_systems
| timechart span=1d count by user
to start with might be useful, followed up with the drilldown to see what systems in particular were touched by a specific user.
I think you are looking at this from slightly the wrong direction.
What do you know from your systems? Well, you know when there was system activity from a particular user via your logs.
So to answer your question what you are looking for is a gap of at least 14 days between system activity. You're not looking for nothing rather you're looking for an end of work event (which will be your start event) and a start of work event (ending event). The time difference (a delta value) between ANY event should be at least 14 days for the window of time listed as vacation time.
Thank you both for your answers. Actually, it WAS relevant because they found employees who never had the 14-days without activity. Some of those employees proved they were in fact out during that time. So then the question was: who is logging in with your id?
I agree with Lucas K's approach. For this situation, it seems the most logical working with the machine data that is available which are logs of system activity for all employees. I'm assuming each employee has a specific login/ID # associated with them to track every activity across all systems. Each activity log should have a timestamp which can be used to measure and determine if they met the Block Leave requirement.
For the last question in your post @carolynmcdonoughtest, is that really relevant since it's required that they "did not use any systems during that entire 14-day period"?