Security

How to measure vacation compliance issue without electronic PTO tracking?

Hello, my first question! I am a newish Splunk employee, writing a story to describe how a customer might use Splunk to meet a compliance issue. I can use any type of data or faux data in the example, my goal is to write the logic in a way that would help others enact the same logic to solve the same problem.

Problem:

  1. Customer must validate (for financial reasons) that all employees in list X took at least 14 days in a row off in a calendar year and did not use any systems during that entire 14-day period ( This is a financial industries requirement called Block Leave)
  2. Customer has no list of employee with dates of actual vacation time taken as vacation time was not otherwise tracked electronically (surprising but true in the case I am documenting!). Thus they have to "look for a 14-day block of nothing" rather than validating that no activity occurred between Date A and Date B.

How does the customer "look for nothing" over a year and get a list of those who did take 14 days with no login or other activity on any system, and those who did not?

And is there a way to drill down to see which systems were accessed if there was noticeably less activity in the 14 day period but it was only a certain system?

Thanks in advance, I know this is a "newbie" level question.

1 Solution

Splunk Employee
Splunk Employee

Something like:

sourcetype=logins_to_systems
| streamstats global=f window=2 current=t
    earliest(_time) as previous_login_time
    latest(_time) as current_login_time
  by userid
| eval time_between_logins=current_login_time - previous_login_time
| stats max(time_between_logins) as longest_break by userid
| where longest_break < (14*24*60*60)

can give you a list of users who never had more than a 14-day break between logins. This gets you one answer, but it's not terribly generalizable to other reporting requirements and drilldowns you might have, e.g., looking for periods where activity was lower or the number of systems was lower. It would probably be useful to use:

sourcetype=logins_to_systems userid="a_specific_userid"
| timechart span=1d count by system_accessed

as a sort of drilldown from the previous search. Now, if you want to just see which users might have logged in less, the classic:

sourcetype=logins_to_systems
| timechart span=1d count by user

to start with might be useful, followed up with the drilldown to see what systems in particular were touched by a specific user.

View solution in original post

Splunk Employee
Splunk Employee

Something like:

sourcetype=logins_to_systems
| streamstats global=f window=2 current=t
    earliest(_time) as previous_login_time
    latest(_time) as current_login_time
  by userid
| eval time_between_logins=current_login_time - previous_login_time
| stats max(time_between_logins) as longest_break by userid
| where longest_break < (14*24*60*60)

can give you a list of users who never had more than a 14-day break between logins. This gets you one answer, but it's not terribly generalizable to other reporting requirements and drilldowns you might have, e.g., looking for periods where activity was lower or the number of systems was lower. It would probably be useful to use:

sourcetype=logins_to_systems userid="a_specific_userid"
| timechart span=1d count by system_accessed

as a sort of drilldown from the previous search. Now, if you want to just see which users might have logged in less, the classic:

sourcetype=logins_to_systems
| timechart span=1d count by user

to start with might be useful, followed up with the drilldown to see what systems in particular were touched by a specific user.

View solution in original post

Motivator

I think you are looking at this from slightly the wrong direction.

What do you know from your systems? Well, you know when there was system activity from a particular user via your logs.

So to answer your question what you are looking for is a gap of at least 14 days between system activity. You're not looking for nothing rather you're looking for an end of work event (which will be your start event) and a start of work event (ending event). The time difference (a delta value) between ANY event should be at least 14 days for the window of time listed as vacation time.

Thank you both for your answers. Actually, it WAS relevant because they found employees who never had the 14-days without activity. Some of those employees proved they were in fact out during that time. So then the question was: who is logging in with your id?

0 Karma

Community Manager
Community Manager

I agree with Lucas K's approach. For this situation, it seems the most logical working with the machine data that is available which are logs of system activity for all employees. I'm assuming each employee has a specific login/ID # associated with them to track every activity across all systems. Each activity log should have a timestamp which can be used to measure and determine if they met the Block Leave requirement.

For the last question in your post @carolynmcdonoughtest, is that really relevant since it's required that they "did not use any systems during that entire 14-day period"?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!