Skip to main content


Splunk Lantern

Dormant bank accounts

You might need to run a regular report that shows which accounts are dormant when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


Customers having dormant accounts can sometimes cause a compliance issue for banks. This report provides just-in-time information so that at the time of an account transaction, you can inform the customer if they have any untouched accounts older than 6 months from their current transaction date.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<transaction data source>
    |eval prev_epoch=strptime(last_touched, "%m/%d/%Y %H:%M:%S")
    |sort - last_touched
    |join customer [ |inputlookup <customer account info file> ]
    |where epoch>relative_time(prev_epoch, "+6mon")
    |fields - prev_epoch, balance|rename accountID AS current_accountID action AS current_action account_type AS current_account_type
    |eval current_balance=tostring(round(current_balance, 2),"commas"), other_balance=tostring(round(other_balance, 2),"commas")
    |convert timeformat="%m/%d/%Y %H:%M:%S" ctime(epoch) AS current_time
    |fields - epoch

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<transaction data source> Search only your business service data for bank transactions .
|eval prev_epoch=strptime(last_touched, "%m/%d/%Y %H:%M:%S") Parse the time stamp for the last time the account was accessed into a UNIX time value.
|sort - last_touched Sort the results from oldest to newest.
|join customer [ |inputlookup <customer account info file> ]
Look up the other accounts for the customer and join the results.
|where epoch>relative_time(prev_epoch, "+6mon") Filter results to accounts whose last_touched date is at least 6 months greater than the current transaction date. 
|fields - prev_epoch, balance Remove the fields shown from the results.
|rename accountID AS current_accountID action AS current_action account_type AS current_account_type Rename the fields as shown for better readability.
|eval current_balance=tostring(round(current_balance, 2),"commas"), other_balance=tostring(round(other_balance, 2),"commas") Convert the balances to strings rounded to two values, using a comma when needed. 
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(epoch) AS current_time Convert the epoch time to a human readable time and output to a field called current_time.
|fields - epoch Remove the epoch field from the results.


Every time a customer performs an account transaction, inform them about their other accounts. If any account is dormant, let them know so they can take corrective action.

  • Was this article helpful?