The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you run a regular report to check how many accounts each customer has. For more information, review the use case monitoring consumer bank accounts for potential fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<transaction data source>||Search only your business service data for bank transactions.|
||eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")||Parse the transaction time stamp into a UNIX time value.|
||sort - _time||Sort the results from oldest to newest.|
||lookup <customer account info file> customer||Search the customer field of a lookup file of customer accounts that you have previously uploaded into your Splunk deployment.|
||stats last(_time) AS _time list(accountID) AS accountID list(action) AS action list(amount) AS amount list(balance) AS balance values(other_accountID) AS other_accountID sum(other_balance) AS Total_Balance BY customer||Correlate the customer information with the lookup file data that shows the other accounts for the customer, renaming the fields as shown. Group the details by customer.|
||eval count_other_accounts=mvcount(other_accountID)||Count the number of other accounts and sum up the total balance. If the number of other_accounts is greater than 10, print results.|
||where count_other_accounts>10||Filter results to only those where the number of accounts per customer is greater than 10.|
||eval Total_Balance=Total_Balance+balance||Obtain the total balance for all the customer's accounts.|
||eval balance=tostring(round(balance, 2),"commas"), Total_Balance=tostring(round(Total_Balance, 2),"commas")||Convert the balances to strings rounded to two values, using a comma when needed.|