Skip to main content
Splunk Lantern

Large and rapid credit card spending

You might need to monitor for high value credit card spending on a large number of transactions when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You work for a credit card provider and need to monitor consumer transactions to prevent fraud. You know that one indicator is when a card is used to make a lot of purchases in a short time span, especially when the purchases are for large dollar amounts.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:| sourcetype=<customer information data source>
    | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")
    | sort - _time
    | streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions sum(amount) AS total_spent BY customer
    | where ((total_spent > 5000) AND (num_transactions >= 5))
    | eval latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S"), total_spent=tostring(round(total_spent,2),"commas")
    | table customer, _time, latest_time, num_transactions, total_spent, category

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

| sourcetype=<customer information data source>

Search only your business service data for customer information.

| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")

Parse the time stamp into a UNIX time value.

| sort - _time

Sort the results from oldest to newest.

| streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions sum(amount) AS total_spent BY customer

Report cumulative time, count, and monetary value statistics in one-minute increments, renaming the fields as shown. 

| where ((total_spent > 5000) AND (num_transactions >= 5))

Filter results to show only those that have a transaction amount greater than 5000 and at least 5 total transactions within the defined time period.

| eval latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S"),total_spent=tostring(round(total_spent,2),"commas")    

Convert the UNIX time value into a human-readable string. Then convert the dollar spending amounts to strings rounded to two values and using a comma when needed. 

| table customer, _time, latest_time, num_transactions, total_spent, category

Display the results in a table with columns in the order shown.

Result

If the search returns results, alert the customer right away to prevent further fraud. This could be a bot or a stolen credit card.