Skip to main content

 

Splunk Lantern

Excessive number of credit card transactions in a short period

You might need to monitor for an excessive number of credit card transactions when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You work at a financial institution in the fraud department. You know that too many transactions in one minute could indicate a stolen card, so you want to run a regular report to monitor for this behavior.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:| sourcetype=<customer information data source>
    | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")
    | sort - _time
    | streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions BY customer
    | where (num_transactions >= 10)
    | eval latest_time=strftime(latest_time,"%Y-%m-%d %H:%M:%S")
    | dedup customer
    | table customer, _time, latest_time, num_transactions, category

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<customer information data source> Search only your business service data for customer information.
| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") Parse the time stamp into a UNIX time value .
| sort - _time Sort the results from oldest to newest.
| streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions BY customer Report cumulative time and transaction count statistics in one-minute increments, renaming the fields as shown and with results grouped by customer.
| where (num_transactions >= 10) Return only events where the number of transactions is greater than or equal to 10.
| eval latest_time=strftime(latest_time,"%Y-%m-%d %H:%M:%S") Convert the UNIX time value into a human-readable string. 
| dedup customer
 
Remove duplicate customer results.
| table customer, _time, latest_time, num_transactions, category Display the results in a table with columns in the order shown.

Result

Run a regular report for which customers have used their card too frequently over a one minute interval. Too much use of the credit card in a short window may indicate a stolen card going on a shopping spree.

  • Was this article helpful?