Skip to main content
Splunk Lantern

Most frequent ATM users

You might need to see which users conduct the most transactions on your ATMs when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


Users that use the ATM more than most average users may have questionable motives or have their credentials stolen. You want to see who those users are so you can set up alerts to watch their accounts for any suspicious activity.

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<ATM transaction data source>
    |lookup <name of lookup file for ATM user risk scores> user OUTPUT score
    |stats sum(score) AS Risk_Score count BY user
    |eventstats avg(count) AS avg stdev(count) AS stdev
    |where count>(avg+stdev*3.5)
    |sort - count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<ATM transaction data source> Search your ATM transaction data.
|lookup <name of lookup file for ATM user risk scores> user OUTPUT score

Perform a lookup to get risk scores per user.

If your lookup file does not contain user and score columns, adjust the search to match the names in your lookup.

|stats sum(score) AS Risk_Score count BY user Sum the risk scores and counts for each user.
|eventstats avg(count) AS avg stdev(count) BY stdev Calculate the average count and standard deviation for each user.
|where count>(avg+stdev*3.5) Compare the count of users' access to the average count and some multiple of standard deviation of all users, in this example, 3.5.
|sort - count Sort the results with the highest transaction account first.


Counting access and comparing to average counts plus some multiple of standard deviation can find risky users, because for some reason, these users are using the ATM most. Compare this to users' risk scores to see if they need to be put on a watchlist.

  • Was this article helpful?