The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to show you aggregate trade amounts that were impacted on a time-drifted host. For more information, review the use case complying with the Markets in Financial Instruments Directive II.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||lookup <NTP data by host>||Search only your SNTP data from the file you uploaded.|
|| sort - date||Sort the results from oldest to newest.|
||where drift<-0.1 OR drift>+0.1||
Return results where the host time drift is outside an acceptable range.
In production, use milliseconds for thresholds. Some banks may rely on atomic clocks for precision.
||lookup <transaction data lookup file> host, date||
Return transaction data.
You may have a business service data source that pulls this information into your Splunk deployment.
||table date, host, drift, amount, volume||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Convert the results to a readable string that is rounded to 2 decimal places and uses a comma.|