I'm trying to to build a Splunk Alert whose aim is to detect if a user account has been used. In this alert, I want to exclude a time range (between 5 to 6 a.m.) every Tuesday and Thursday. During this time, the account is supposed to be used legitimately. During this time frame I also want to exclude the IP address of the server that is using it.
To clarify, let's say that we have a server with the IP 10.10.10.5/32. This server uses the account useraccount each Tuesday and Thursday between 05:00 and 06:00. I need the Splunk Alert to search for any usage of the account, even on 10.10.10.5, but for the time period above, exclude 10.10.10.5 from the alert search, if that makes sense.
This is what I have so far, and I haven't been able to figure out a way to also exclude the server's IP address during this time frame.
index=firewall [search sourcetype="pan_panorama" AND "useraccount"]
| where NOT ( (date_wday=="tuesday" OR date_wday=="thursday") AND NOT (date_hour >= 5 AND date_hour < 6) )
If I try with this:
index=firewall [search sourcetype="pan_panorama" AND "useraccount"]
| where NOT ( (date_wday=="tuesday" OR date_wday=="thursday") AND NOT (date_hour >= 5 AND date_hour < 6) AND NOT ("From: 10.10.10.5") )
I receive Error in 'where' command: Typechecking failed. 'XOR' only takes boolean arguments.
I'm not sure how to proceed from here. How can I build a Splunk Alert search that excludes a time period and an IP address only during that time period?
Splunk is choking on the AND NOT "string" part of the where command. It doesn't make sense. Compare the string to a field value and should work.
index=firewall sourcetype="pan_panorama" AND "useraccount"
| where NOT ( (date_wday=="tuesday" OR date_wday=="thursday")
AND date_hour = 5 AND cidrmatch(From, "10.10.10.5/32") )
Also, I think the double-negative logic doesn't produce the right results. This query accepts all events except those on Tuesday or Thursday from 0500-0559 by IP address 10.10.10.5. Furthermore, there's no need for a subsearch.