Skip to main content
Splunk Lantern

Large and rapid credit card spending

The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you see when a credit card has been used an excessive amount. For more information, review the use case detecting credit card fraud.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation

| sourcetype=<customer information data source>

Search only your business service data for customer information.

| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")

Parse the time stamp into a UNIX time value.

| sort - _time

Sort the results from oldest to newest.

| streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions sum(amount) AS total_spent BY customer

Report cumulative time, count, and monetary value statistics in one-minute increments, renaming the fields as shown. 

| where ((total_spent > 5000) AND (num_transactions >= 5))

Filter results to show only those that have a transaction amount greater than 5000 and at least 5 total transactions within the defined time period.

| eval latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S"),total_spent=tostring(round(total_spent,2),"commas")    

Convert the UNIX time value into a human-readable string. Then convert the dollar spending amounts to strings rounded to two values and using a comma when needed. 

| table customer, _time, latest_time, num_transactions, total_spent, category

Display the results in a table with columns in the order shown.