Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to measure vacation compliance issue without electronic PTO tracking?

carolynmcdonoug
Engager
‎07-24-2014 02:08 PM

Hello, my first question! I am a newish Splunk employee, writing a story to describe how a customer might use Splunk to meet a compliance issue. I can use any type of data or faux data in the example, my goal is to write the logic in a way that would help others enact the same logic to solve the same problem.

Problem:

  1. Customer must validate (for financial reasons) that all employees in list X took at least 14 days in a row off in a calendar year and did not use any systems during that entire 14-day period ( This is a financial industries requirement called Block Leave)
  2. Customer has no list of employee with dates of actual vacation time taken as vacation time was not otherwise tracked electronically (surprising but true in the case I am documenting!). Thus they have to "look for a 14-day block of nothing" rather than validating that no activity occurred between Date A and Date B.

How does the customer "look for nothing" over a year and get a list of those who did take 14 days with no login or other activity on any system, and those who did not?

And is there a way to drill down to see which systems were accessed if there was noticeably less activity in the 14 day period but it was only a certain system?

Thanks in advance, I know this is a "newbie" level question.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-26-2014 07:04 AM

Something like:

sourcetype=logins_to_systems
| streamstats global=f window=2 current=t
    earliest(_time) as previous_login_time
    latest(_time) as current_login_time
  by userid
| eval time_between_logins=current_login_time - previous_login_time
| stats max(time_between_logins) as longest_break by userid
| where longest_break < (14*24*60*60)

can give you a list of users who never had more than a 14-day break between logins. This gets you one answer, but it's not terribly generalizable to other reporting requirements and drilldowns you might have, e.g., looking for periods where activity was lower or the number of systems was lower. It would probably be useful to use:

sourcetype=logins_to_systems userid="a_specific_userid"
| timechart span=1d count by system_accessed

as a sort of drilldown from the previous search. Now, if you want to just see which users might have logged in less, the classic:

sourcetype=logins_to_systems
| timechart span=1d count by user

to start with might be useful, followed up with the drilldown to see what systems in particular were touched by a specific user.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-26-2014 07:04 AM

Something like:

sourcetype=logins_to_systems
| streamstats global=f window=2 current=t
    earliest(_time) as previous_login_time
    latest(_time) as current_login_time
  by userid
| eval time_between_logins=current_login_time - previous_login_time
| stats max(time_between_logins) as longest_break by userid
| where longest_break < (14*24*60*60)

can give you a list of users who never had more than a 14-day break between logins. This gets you one answer, but it's not terribly generalizable to other reporting requirements and drilldowns you might have, e.g., looking for periods where activity was lower or the number of systems was lower. It would probably be useful to use:

sourcetype=logins_to_systems userid="a_specific_userid"
| timechart span=1d count by system_accessed

as a sort of drilldown from the previous search. Now, if you want to just see which users might have logged in less, the classic:

sourcetype=logins_to_systems
| timechart span=1d count by user

to start with might be useful, followed up with the drilldown to see what systems in particular were touched by a specific user.

Reply
Solved! Jump to solution

Lucas_K
Motivator
‎07-24-2014 05:46 PM

I think you are looking at this from slightly the wrong direction.

What do you know from your systems? Well, you know when there was system activity from a particular user via your logs.

So to answer your question what you are looking for is a gap of at least 14 days between system activity. You're not looking for nothing rather you're looking for an end of work event (which will be your start event) and a start of work event (ending event). The time difference (a delta value) between ANY event should be at least 14 days for the window of time listed as vacation time.

Reply
Solved! Jump to solution

carolynmcdonoug
Engager
‎07-26-2014 09:33 AM

Thank you both for your answers. Actually, it WAS relevant because they found employees who never had the 14-days without activity. Some of those employees proved they were in fact out during that time. So then the question was: who is logging in with your id?

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎07-25-2014 05:57 PM

I agree with Lucas K's approach. For this situation, it seems the most logical working with the machine data that is available which are logs of system activity for all employees. I'm assuming each employee has a specific login/ID # associated with them to track every activity across all systems. Each activity log should have a timestamp which can be used to measure and determine if they met the Block Leave requirement.

For the last question in your post @carolynmcdonoughtest, is that really relevant since it's required that they "did not use any systems during that entire 14-day period"?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...