- Product: Splunk Enterprise or Splunk Cloud Platform
- Function: Monitoring, alerting, reporting
- Data: Business service data for wire transfer transactions
Wire transfer statistics can help analytics teams gain a deeper insight into their flow of funds. These statistics include a mapping of sources and destinations for transfers to see where the majority of funds are flowing. They also include the largest amounts of transfers being made and outlier transfer.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
- ► Wire transfer actions
Wire transfers result in a number of action results, such as authorized, cancelled, denied, or in error. By seeing a distribution of these actions across time, you are in a better position to judge how the business is performing. View the results of this search in a column to compare a count of each result.
|sourcetype=<wire transfer transaction data source> | sort - _time | stats count BY action | sort - count
You can also use the timechart command to see how the distribution of results progresses across a time range, in this example, 15 minute increments.
|sourcetype=<wire transfer transaction data source> | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") | sort _time | timechart span=15m fixedrange=F count BY action
- ► Wire transfer errors
When a wire transfer attempt is made resulting in an error condition, it causes a bad customer experience. You want to proactively watch for these conditions so you can investigate root cause sooner.
| sourcetype=<wire transfer transaction data source> | eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") |sort - _time |search action="error" |eval amount=tostring(round(amount, 2),"commas") |table * |fields - epoch OpenDate
- ► Wire transfer max amounts
Seeing the largest amounts being transferred over a time range with a customer name helps a bank identify customers with large accounts who are emptying some of their balance. You want to report on the top 10 largest amounts of money beng transferred at a given time.
| sourcetype=<wire transfer transaction data source> | eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") |sort _time |search action="authorized" |stats max(amount) AS max_amount BY customer |sort - max_amount |head 10
- ► Wire transfer amount outliers
Users who have transferred amounts larger than the general population of users may be worth monitoring. By locating outliers in the amount that is being transferred, a bank can monitor which customers have the largest average transfers.
|sourcetype=<wire transfer transaction data source> |eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") |sort - _time |search action="authorized" |stats avg(amount) AS avg_amount BY customer |eventstats avg(avg_amount) AS avg_all stdev(avg_amount) AS stdev_all |where avg_amount>(avg_all+stdev_all) |eval avg_amount=tostring(round(avg_amount, 2),"commas")
- ► Top transfer origins and destinations over time
By seeing over time the top client and destinations where transfers originate and where they are going, you can gather a picture of your business, as well as how many transfers are initiated and received. This helps you track your top customers.
This sample search uses "clientIP", which you can replace with "destIP" when needed.
| sourcetype=<wire transfer transaction data source> | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") | sort _time | timechart span=15m fixedrange=F count BY clientIP usenull=f limit=10
You can also view this information on a map for a better picture of origins and destinations.
- This sample search uses "clientIP" for iplocation and geostats, which you can replace with "destIP" when needed.
- This sample search assumes you have public IP addresses for these locations in your data, so that you can use the iplocation command to get the longitude and latitude instead. If you do not, you need to use a lookup with a location fields.
| sourcetype=<wire transfer transaction data source> | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") | sort _time | search action="authorized" | iplocation clientIP | geostats count BY clientIP
- ► Linking origins and destinations of wire transfers with a Sankey visualization
Visualizing the number of times a clientIP is linked to a location destination can help you identify trends. This may help in future planning and fraud use cases. For instance, if a destination is a source for another transfer, why is that? These are the types of questions this search can help raise. Run the search and then save the report as a Sankey visualization.
- You must have the Splunk Sankey Diagram - Custom Visualization app from Splunkbase installed on your Splunk instance to complete the visualization.
| sourcetype=<wire transfer transaction data source> | eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") | sort _time | search action="authorized" | stats count BY clientIP,destIP
Use the results of these searches to evaluate service and improve the wire transfer experience for customers. You can also monitor unusual transactions to see whether they are one-time occurrences or regular activities. Such information can help you serve your customers better or understand when customers are at a risk of leaving your bank. When taking action on these results, be sure to follow any industry policies and regulations that are required for compliance.
The Splunk Essentials for the Financial Services Industry app helps you automate the searches provided in this article. The app also provides more insight on how they can be applied in your environment, how they work, the difficulty level, and what data can be valuable to run them successfully. In addition, the Splunk Essentials for the Financial Services Industry app provides a number of other monitoring and reporting solutions for financial services:
You might also be interested in monitoring wire transfers for potentially fraudulent activity.
Finally, these additional Splunk resources might help you understand and implement this use case: