The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you detect credit card test purchases. For more information, review the use case detecting credit card fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
|| sourcetype=<customer information data source>||Search only your business service data for customer information.|
|| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")||Parse the time stamp into a UNIX time value.|
|| sort - _time||Sort the results from oldest to newest.|
|| streamstats earliest(amount) AS first_amount latest(amount) AS last_amount earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions by customer||Report cumulative time, monetary value, and transaction count statistics in one-minute increments, renaming the fields as shown.|
|| where (((first_amount < 20) AND (last_amount > 3000)) AND (num_transactions >= 2))||Return only events where the value of the first transaction is less than 20, the value of the last is greater than 3,000, and there were at least 2 transactions total.|
|| eval first_amount=tostring(round(first_amount,2),"commas"), last_amount=tostring(round(last_amount,2),"commas"), latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S")||Convert the monetary values to strings rounded to two values, using a comma when needed. Then, convert the UNIX time value into a human-readable string.|
|| table customer, _time, latest_time, num_transactions, first_amount, last_amount||Display the results in a table with columns in the order shown.|