Skip to main content
Splunk Lantern

Large wire transfer immediately after account activation

You might want to see if new customers are trying to transfer large sums of money immediately after activating an account when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


In your financial services organization, you report weekly on new accounts. One of your concerns is new accounts being used to transfer bad checks. You want to search for large sums of money transferred when the account is less than one day old, which is a common indicator of a fraudulent account.

To optimize the search shown below, you should specify a time range. 

  1. Run the following search:
    |inputlookup <name of lookup file for wire transfer information>
    | eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
    |sort - _time
    |where _time<relative_time(OpenDate, "+1d") and amount>10000
    |eval AccountOpenDate=strftime(OpenDate,"%Y-%m-%d %H:%M:%S")
    |iplocation destIP
    |rename Country AS DestCountry City AS DestCity
    |table _time,AccountOpenDate, customer, amount, FromAccount, ToAccount, DestCountry, DestCity
    |eval amount=tostring(round(amount, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|inputlookup <name of lookup file for wire transfer information> Search the data in your wire transfer information lookup file.
| eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") Convert the time to a UNIX timestamp. 
|sort - _time Sort the results with the most recently occurring first.
|where _time<relative_time(OpenDate, "+1d") and amount>10000

Add 1 day to the current Open Date Time using relative_time. Check whether the current time is less than that and the transfer amount is greater than 10,000.

If your lookup file does not contain an OpenDate column, adjust the search to match the names in your lookup.

|eval AccountOpenDate=strftime(OpenDate,"%Y-%m-%d %H:%M:%S") Convert the UNIX time value of the account opening date into the format of the locale, as defined by the server's operating system, and place it in a field called AccountOpenDate.
|iplocation destIP Extract location information from the destination IP address.
|rename Country AS DestCountry City AS DestCity Rename the fields as shown for better readability.
|table _time,AccountOpenDate, customer, amount, FromAccount, ToAccount, DestCountry, DestCity Display the results in a table with columns in the order shown.
|eval amount=tostring(round(amount, 2),"commas") Round the amount value to two decimals places and add commas for better readability.


New customers who instantly try to transfer a large sum of money upon account activation might be opening fraudulent accounts used to transfer bad check. Investigate customers this search identifies according to your institutions standard operating procedures and regulations.