The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you run a regular report that shows which consumer bank accounts are dormant. For more information, review the use case monitoring consumer bank accounts for potential fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<transaction data source>||Search only your business service data for bank transactions .|
||eval prev_epoch=strptime(last_touched, "%m/%d/%Y %H:%M:%S")||Parse the time stamp for the last time the account was accessed into a UNIX time value.|
||sort - last_touched||Sort the results from oldest to newest.|
||join customer [ |inputlookup <customer account info file> ]
||Look up the other accounts for the customer and join the results.|
||where epoch>relative_time(prev_epoch, "+6mon")||Filter results to accounts whose last_touched date is at least 6 months greater than the current transaction date.|
||fields - prev_epoch, balance||Remove the fields shown from the results.|
||rename accountID AS current_accountID action AS current_action account_type AS current_account_type||Rename the fields as shown for better readability.|
||eval current_balance=tostring(round(current_balance, 2),"commas"), other_balance=tostring(round(other_balance, 2),"commas")||Convert the balances to strings rounded to two values, using a comma when needed.|
||convert timeformat="%m/%d/%Y %H:%M:%S" ctime(epoch) AS current_time||Convert the epoch time to a human readable time and output to a field called current_time.|
||fields - epoch||Remove the epoch field from the results.|