Skip to main content
Splunk Lantern

Outlier credit card spending by value

You might need to monitor for unusual credit card usage when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


You work at a financial institution in the fraud department. You know that rarely using a card and suddenly spending too much could be a sign of a stolen credit card. You want to run a regular report to monitor for this behavior.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    | sourcetype=<customer information data source>
    | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")
    | sort - _time
    | stats sum(amount) AS total_spent first(_time) AS _time first(previous_tx_date) AS previous_date BY customer
    | where (('_time' > relative_time(strptime(previous_date,"%m/%d/%Y %H:%M:%S"),"+6mon")) AND (total_spent > 3000))
    | eval total_spent=tostring(round(total_spent,2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<customer information data source> Search only your business service data for customer information.
| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") Parse the time stamp into a UNIX time value .
| sort - _time Sort the results from oldest to newest.
| stats sum(amount) AS total_spent first(_time) AS _time first(previous_tx_date) AS previous_date BY customer Return the amount spent, the time of the current transaction, and the time of the most recent previous transaction, renaming the fields and shown and grouping results by customer.
| where (('_time' > relative_time(strptime(previous_date,"%m/%d/%Y %H:%M:%S"),"+6mon")) AND (total_spent > 3000)) Filter the results to only those where the time of the current transaction is more than six months apart from their most recent previous transaction, and where the amount spent is more than 3,000.
| eval total_spent=tostring(round(total_spent,2),"commas") Convert the monetary value to an amount rounded to two values, using a comma when needed.


Run this report regulary and use the results to investigate or notify customer that their card may be stolen or other used fraudulently. 

  • Was this article helpful?