topic How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User in Splunk Search

How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User

SplunkLunk — Sun, 05 Sep 2021 02:50:36 GMT

Greetings,

I need to exclude events that happen every Saturday between 2 AM and 4AM only if they have a specific username. An authenticated scan runs that triggers a lot of logon attempts with a specific user account during that time. My search so far isn't working:

index=[myindex] host=* sourcetype=linux_secure process=sshd ("tag::action"="success" OR "tag::action"="failure")
| eval hour = tonumber(strftime(_time,"%H"))
| eval dow = tonumber(strftime(_time,"%w"))
| where (dow!=6 AND (hour!=2 OR hour!=3 OR hour!=4) AND user=[username])

However, as soon as I remove the username variable the search works fine. Can anyone help me figure out what's wrong? Thanks.

Re: How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User

gcusello — Sun, 05 Sep 2021 09:22:02 GMT

Hi @SplunkLunk,

let me understand: you wnat to exclude from the results of your main search the logon of a predefined username (e.g. jde) in the hours between 2 and 4, is it correct?

if this is yuor need, probably there's an error in your search because the AND condition at the end excludes all the other logins.

In addition, you don't need to use eval and where, because you can put in yur main search the other conditions using the field "date_hour".

So, pleae, try something like this:

index=[myindex] sourcetype=linux_secure process=sshd ("tag::action"="success" OR "tag::action"="failure") NOT ((date_hour>1 date_hour<5) user=[username])) | ...

Ciao.

Giuseppe

Re: How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User

SplunkLunk — Sun, 05 Sep 2021 10:36:10 GMT

Thanks, but how do I exclude Saturday as well as part of the condition? The "date_wday=saturday" doesn't work and that's why I did the eval to assign a day of the week in the search.

Re: How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User

SplunkLunk — Sun, 05 Sep 2021 12:34:00 GMT

Thanks. I figured it out with your help. It turns out date_wday was being extracted as well. I just had the search term formed wrong. I ended up with the following:

NOT ((date_hour>=1 date_hour<5) AND user=[username] AND date_wday=saturday)

Re: How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User

gcusello — Mon, 06 Sep 2021 07:18:56 GMT

Hi @SplunkLunk,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉