Skip to main content
Splunk Lantern

Outlier credit card spending by value

The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you detect when a credit card has been used for an unusually large transaction. For more information, review the use case detecting credit card fraud.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.  In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation
| sourcetype=<customer information data source> Search only your business service data for customer information.
| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") Parse the time stamp into a UNIX time value .
| sort - _time Sort the results from oldest to newest.
| stats sum(amount) AS total_spent first(_time) AS _time first(previous_tx_date) AS previous_date BY customer Return the amount spent, the time of the current transaction, and the time of the most recent previous transaction, renaming the fields and shown and grouping results by customer.
| where (('_time' > relative_time(strptime(previous_date,"%m/%d/%Y %H:%M:%S"),"+6mon")) AND (total_spent > 3000)) Filter the results to only those where the time of the current transaction is more than six months apart from their most recent previous transaction, and where the amount spent is more than 3,000.
| eval total_spent=tostring(round(total_spent,2),"commas") Convert the monetary value to an amount rounded to two values, using a comma when needed.