Skip to main content


Splunk Lantern

Outlier credit card spending by category

You might need to monitor for credit card customer unusual spending behavior when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


You work at a financial institution in the fraud department. You know that a common sign of fraud is when a customer starts spending large amounts of money in categories they don't usually shop in. For example, if a customer never uses their card for travel but suddenly buys a $2,000 airplane ticket, you would be concerned. You want to run a regular report to monitor for this behavior.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    | sourcetype=<customer information data source>
    | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")
    | sort - _time
    | lookup <name of lookup file of categorized spending>
    | streamstats window=1 list(category) AS category BY customer
    | where (amount > 1000)
    | makemv delim="|" categories
    | eval match=if(match(categories,category),1,0)
    | where (match == 0)
    | eval amount=tostring(round(amount,2),"commas")
    | table customer, _time, amount, categories, category, action

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<customer information data source> Search only your business service data for customer information.
| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") Parse the time stamp into a UNIX time value .
| sort - _time Sort the results from oldest to newest.
| lookup <name of lookup file of categorized spending> Search a lookup file of categorized spending by customer that you have previously uploaded into your Splunk deployment.
| streamstats window=1 list(category) AS category BY customer Report cumulative category statistics in one-minute increments, renaming the fields as shown and grouped by customer  
| where (amount > 1000) Return only events where the amount spent is greater than 1,000. 
| makemv delim="|" categories Split the "categories" value of your results into multiple values using the "|" as the delimter.
| eval match=if(match(categories,category),1,0) If the spending categories for the results returned match categories the customer normally spends on, according to the lookup, assign the match field a value of 1. Otherwise, assign a value of 0. 
| where (match == 0) Filter results to only those with a value of 0.
| eval amount=tostring(round(amount,2),"commas") Convert the monetary value to a string rounded to two values, using a comma when needed.
| table customer, _time, amount, categories, category, action Display the results in a table with columns in the order shown.


Use the results of this report to investigate. You can also make this an alert that instantly notifies the customer. Use a lookup to get the customer's email or text message contact.

  • Was this article helpful?