The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you detect when a credit card has been used for purchases that are unusual for that account. For more information, review the use case detecting credit card fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
|| sourcetype=<customer information data source>||Search only your business service data for customer information.|
|| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")||Parse the time stamp into a UNIX time value .|
|| sort - _time||Sort the results from oldest to newest.|
|| lookup <name of lookup file of categorized spending>||Search a lookup file of categorized spending by customer that you have previously uploaded into your Splunk deployment.|
|| streamstats window=1 list(category) AS category BY customer||Report cumulative category statistics in one-minute increments, renaming the fields as shown and grouped by customer|
|| where (amount > 1000)||Return only events where the amount spent is greater than 1,000.|
|| makemv delim="|" categories||Split the "categories" value of your results into multiple values using the "|" as the delimter.|
|| eval match=if(match(categories,category),1,0)||If the spending categories for the results returned match categories the customer normally spends on, according to the lookup, assign the match field a value of 1. Otherwise, assign a value of 0.|
|| where (match == 0)||Filter results to only those with a value of 0.|
|| eval amount=tostring(round(amount,2),"commas")||Convert the monetary value to a string rounded to two values, using a comma when needed.|
|| table customer, _time, amount, categories, category, action||Display the results in a table with columns in the order shown.|