Hello, my first question! I am a newish Splunk employee, writing a story to describe how a customer might use Splunk to meet a compliance issue. I can use any type of data or faux data in the example, my goal is to write the logic in a way that would help others enact the same logic to solve the same problem.
Problem:
Customer must validate (for financial reasons) that all employees in list X took at least 14 days in a row off in a calendar year and did not use any systems during that entire 14-day period ( This is a financial industries requirement called Block Leave)
Customer has no list of employee with dates of actual vacation time taken as vacation time was not otherwise tracked electronically (surprising but true in the case I am documenting!). Thus they have to "look for a 14-day block of nothing" rather than validating that no activity occurred between Date A and Date B.
How does the customer "look for nothing" over a year and get a list of those who did take 14 days with no login or other activity on any system, and those who did not?
And is there a way to drill down to see which systems were accessed if there was noticeably less activity in the 14 day period but it was only a certain system?
Thanks in advance, I know this is a "newbie" level question.
... View more