Skip to main content


Splunk Lantern

MiFID II best execution buy and sell violations


The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to run a regular report that shows which trades have violated buy and sell execution compliance. For more information, review the use case complying with the Markets in Financial Instruments Directive II .

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.  In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation
|sourcetype=<buy and sell order data source> Search only buy and sell order data.
|lookup <commodity reference data> _time, symbol OUTPUT exchangeA exchangeB exchangeC

Look up all trade prices from exchanges for each symbol. Compare the trade price with an exchange price. If the exchange price is lower, it is a violation.

You may have a business service data source that pulls this information into your Splunk deployment.

|where (action="buy") AND (amount>exchangeA OR amount>exchangeB OR amount>exchangeC)

Compare the trade price with an exchange price.

Change the action to "sell", if needed.