You might want to know when a user appears to be at two different ATMs almost simultaneously when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- Business service data for ATM transactions
Users who withdraw from multiple ATMs at almost the same time are most likely committing fraud. You want to create an alert that will trigger when a unique user makes a transaction at two ATMs in different locations within a very short time period.
To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source.
- Run the following search:
|sourcetype=<ATM transaction data source>
|eval amount=tostring(round(amount, 2),"commas")
|streamstats time_window=1m dc(location) AS dc list(amount) AS amount list(location) AS location earliest(epoch) AS epoch latest(epoch) AS latest_epoch BY user
| eval first_time=strftime(epoch,"%m/%d/%y %H:%M:%S"), last_time=strftime(latest_epoch,"%m/%d/%y %H:%M:%S")
|table user amount action location first_time last_time
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||sourcetype=<ATM transaction data source>||Search your ATM transaction data.|
Search only withdrawal activity from the data in your lookup file.
||eval amount=tostring(round(amount, 2),"commas")||Round the withdrawal amounts to two decimals places and add commas for better readability.|
||streamstats time_window=1m dc(location) AS dc list(amount) AS amount list(location) AS location earliest(epoch) AS epoch latest(epoch) AS latest_epoch BY user||Use a time window of 1 minute to find locations by user.|
||where dc>1||Filter to results where the distinct location count is greater than 1.|
||dedup user||Remove duplicate user values.|
|| eval first_time=strftime(epoch,"%m/%d/%y %H:%M:%S"), last_time=strftime(latest_epoch,"%m/%d/%y %H:%M:%S")||Convert time into a readable string.|
||table user amount action location first_time last_time||Display the results in a table with columns in the order shown.|
Since users cannot be in two places as once, the results of this search provide a list of users you should investigate immediately. If you have Splunk Enterprise Security, the land speed violation use case provides additional information relevant to fraud related to multiple locations.