Skip to main content
Splunk Lantern

ATM withdrawal near threshold

You might want to know which ATM users make transactions close to a government-defined threshold when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


In many countries, if a transaction is over a specified limit, it must be reported to the government. To slip under the radar, suspicious users may keep their transactions just under the limit. Users who consistently make ATM transactions just below the government threshold might be trying to hide their activity. You want to report on these transactions to decide if certain users require further investigation.  

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<ATM transaction data source>
    |where amount>9800 AND amount<10000
    |table _time user action amount
    |eval amount=tostring(round(amount, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<ATM transaction data source> Search your ATM transaction data.
|where amount>9800 AND amount<10000
Define your suspicious values as a minimum withdrawal of $9,801 and a maximum of beneath the threshold, in this case, $10,000.
|table _time user action amount
Display the results in a table with columns in the order shown.
|eval amount=tostring(round(amount, 2),"commas") Round the withdrawal amounts to two decimals places and add commas for better readability.


Run this search on a regular schedule to evaluate activity and track suspicious users over time. Users who slip multiple transactions in a short amount of time just under government detection may be participating in money laundering schemes.

  • Was this article helpful?