Skip to main content
Splunk Lantern

Number of wire transfers exceeds threshold

The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you count how many wire transfers a customer completes in a given time period. For more information, review the use case detecting wire transfer fraud.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation
|sourcetype=<wire transfer data source> Search your wire transfer data.
|sort - _time
 
Sort the results with the most recently occurring first. 
|eval amount=tostring(round(amount, 2),"commas")
 
Round the amount value to two decimals places and add commas for better readability.
|streamstats time_window=1h count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(_time) AS time BY customer
 
Use a one hour time window to group transfers by customer and count the number of distinct transfers as authorized_count.
|where authorized_count>=7
 
Return results where the authorized count is greater than 7.
|fields - OpenDate epoch clientIP destIP _time Exclude the fields shown from the output.