I'm trying to to build a Splunk Alert whose aim is to detect if a user account has been used. In this alert, I want to exclude a time range (between 5 to 6 a.m.) every Tuesday and Thursday. During this time, the account is supposed to be used legitimately. During this time frame I also want to exclude the IP address of the server that is using it.
To clarify, let's say that we have a server with the IP 10.10.10.5/32. This server uses the account useraccount each Tuesday and Thursday between 05:00 and 06:00. I need the Splunk Alert to search for any usage of the account, even on 10.10.10.5, but for the time period above, exclude 10.10.10.5 from the alert search, if that makes sense.
This is what I have so far, and I haven't been able to figure out a way to also exclude the server's IP address during this time frame.
index=firewall [search sourcetype="pan_panorama" AND "useraccount"]
| where NOT ( (date_wday=="tuesday" OR date_wday=="thursday") AND NOT (date_hour >= 5 AND date_hour < 6) )
If I try with this:
index=firewall [search sourcetype="pan_panorama" AND "useraccount"]
| where NOT ( (date_wday=="tuesday" OR date_wday=="thursday") AND NOT (date_hour >= 5 AND date_hour < 6) AND NOT ("From: 10.10.10.5") )
I receive Error in 'where' command: Typechecking failed. 'XOR' only takes boolean arguments.
I'm not sure how to proceed from here. How can I build a Splunk Alert search that excludes a time period and an IP address only during that time period?
