Skip to main content

 

Splunk Lantern

Bank accounts with large balances

You might need to run a regular report that shows which accounts have a large balance when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Customers having accounts with a large balance can sometimes cause a compliance issue for banks. In some countries, accounts are insured only up to certain threshold. This report provides just-in-time information so that at the time of an account transaction, you can inform the customer if their total accounts balance is greater than their country's established insured threshold.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<transaction data source>
    |eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
    |sort - _time
    |lookup <customer account info file> customer
    |stats  values(_time) AS _time list(balance) as current_account_balance list(account_type) AS current_account_type list(other_account_type) AS other_account_type list(other_accountID) AS other_accountID list(other_balance) AS other_balance sum(other_balance) AS Total_Balance BY customer
    |eval Total_Balance=Total_Balance+current_account_balance
    |search other_account_type="*" AND Total_Balance>250000
    |eval Total_Balance=tostring(round(Total_Balance, 2),"commas"), current_account_balance=tostring(round(current_account_balance, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<transaction data source> Search only your business service data for bank transactions.
|eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") Parse the transaction time stamp into a UNIX time value.
|sort - _time Sort the results from oldest to newest.
|lookup <customer account info file> customer Search the customer field of a lookup file of customer accounts that you have previously uploaded into your Splunk deployment.
|stats  values(_time) AS _time list(balance) as current_account_balance list(account_type) AS current_account_type list(other_account_type) AS other_account_type list(other_accountID) AS other_accountID list(other_balance) AS other_balance sum(other_balance) AS Total_Balance BY customer Correlate the customer information with the lookup file data that shows the other accounts for the customer, renaming the fields as shown. Group the details by customer.
|eval Total_Balance=Total_Balance+current_account_balance Sum up the account balance for all accounts.
|search other_account_type="*" AND Total_Balance>250000 Search for results that show any value in the other_account_type field and have a Total Balance greater than 250,000.
|eval Total_Balance=tostring(round(Total_Balance, 2),"commas"), current_account_balance=tostring(round(current_account_balance, 2),"commas") Convert the balances to strings rounded to two values, using a comma when needed. 

Result

Every time a customer performs an account transaction, inform them about their other accounts, especially, when their total balance is greater than the country's insured accounts threshold. This allows them to take action to move assets or invest them into the bank's offerings.

  • Was this article helpful?