The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you see which ATM users make transactions close to a government-defined threshold. For more information, review the use case detecting ATM fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
|sourcetype=<ATM transaction data source>||Search your ATM transaction data.|
||where amount>9800 AND amount<10000
||Define your suspicious values as a minimum withdrawal of $9,801 and a maximum of beneath the threshold, in this case, $10,000.|
||table _time user action amount
||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Round the withdrawal amounts to two decimals places and add commas for better readability.|