You might need to monitor for an excessive number of credit card transactions when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- Business service data of customer information
You work at a financial institution in the fraud department. You know that too many transactions in one minute could indicate a stolen card, so you want to run a regular report to monitor for this behavior.
To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source.
- Run the following search:
| sourcetype=<customer information data source>
| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")
| sort - _time
| streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions BY customer
| where (num_transactions >= 10)
| eval latest_time=strftime(latest_time,"%Y-%m-%d %H:%M:%S")
| dedup customer
| table customer, _time, latest_time, num_transactions, category
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|| sourcetype=<customer information data source>||Search only your business service data for customer information.|
|| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")||Parse the time stamp into a UNIX time value .|
|| sort - _time||Sort the results from oldest to newest.|
|| streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions BY customer||Report cumulative time and transaction count statistics in one-minute increments, renaming the fields as shown and with results grouped by customer.|
|| where (num_transactions >= 10)||Return only events where the number of transactions is greater than or equal to 10.|
|| eval latest_time=strftime(latest_time,"%Y-%m-%d %H:%M:%S")||Convert the UNIX time value into a human-readable string.|
|| dedup customer
||Remove duplicate customer results.|
|| table customer, _time, latest_time, num_transactions, category||Display the results in a table with columns in the order shown.|
Run a regular report for which customers have used their card too frequently over a one minute interval. Too much use of the credit card in a short window may indicate a stolen card going on a shopping spree.