Skip to main content
Splunk Lantern

ATM withdrawal testing

You might want to know when an ATM card is used for a small and then a large withdrawal in rapid succession when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


As a financial institution employee, you know that suspicious users sometimes "test" ATM cards by making a small withdrawal first to see if they work and then, if that transaction is successful, they make a large withdrawal. Rarely do legitimate users withdraw very small amounts and very large amounts in a short one minute window. You want to create an alert to trigger on this suspicious activity.

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<ATM transaction data source>
    |search action=withdrawal
    |streamstats count time_window=1m min(amount) AS min max(amount) AS max BY user,location
    |where count>1 and min<20 and max>9000
    |table _time user action min max location
    |dedup user, location
    |eval min=tostring(round(min, 2),"commas")
    |eval max=tostring(round(max, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<ATM transaction data source> Search your ATM transaction data.
|search action=withdrawal

Search only withdrawal activity from the data in your lookup file.

|streamstats count time_window=1m min(amount) AS min max(amount) AS max BY user,location Use a time window of 1 minute to find min and max withdrawals by user.
|where count>1 and min<20 and max>9000 Define your outliers as a minimum withdrawal of less than 20 and a maximum of over 9,000 during at least 2 transactions.
|table _time user action min max location Display the results in a table with columns in the order shown.
|dedup user, location Remove duplicate entries.
|eval min=tostring(round(min, 2),"commas")
|eval max=tostring(round(max, 2),"commas")
Round the minimum and maximum values to two decimals places and add commas for better readability.


When your ATM logs show users who have a small minimum withdrawal amount and a large maximum amount, you may have found fraudsters who are testing the ATM machine and then withdrawing a large amount to take home. You can use the results to investigate further.

  • Was this article helpful?