Skip to main content


Splunk Lantern

Customers with the most processed payments

You might want to report on which customers have the most payments processed when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


This search shows customers who have the most payments cleared. By knowing who are the top users getting responses, you can gather insights on treating your best customers to better service.

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<payment processing data>
    |eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
    |sort _time
    |stats count  values(_time) AS _time values(amount) AS amount BY customer
    |where count>2 AND (count%2==0)
    |eval CompletedPayments=count/2
    |top CompletedPayments BY customer
    |sort -CompletedPayments
    |head 10
    |fields - count, percent

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<payment processing data> Search only your payment processing data.
|eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") Parse the time stamp into a UNIX time value.
|sort _time Sort the results from oldest to newest.
|stats count values(_time) AS _time values(amount) AS amount BY customer Display the times and amounts of the payments. Then group the payments by their unique identifier.
|where count>2 AND (count%2==0) Limit the results to those with more than 2 transactions.
|eval CompletedPayments=count/2 Calculate the CompletedPayments field as the count divided 2.
|top CompletedPayments BY customer Find the most common values and calculates the count and a percentage of the frequency the values occur in the events. Group the results by customer.
|sort -CompletedPayments Sort the number completed payments with the highest count first.
|head 10 Limit the results to the top 10.
|fields - count, percent Remove the fields shown from the results.


Add these results to a dashboard so you can monitor customers that are most active. Decisions can then be made with this data to improve the payments response application.