Skip to main content
Splunk Lantern

ATM withdrawal testing


The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you see when an ATM card is used for a small and then a large withdrawal in rapid succession. For more information, review the use case detecting ATM fraud.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation
|sourcetype=<ATM transaction data source> Search your ATM transaction data.
|search action=withdrawal

Search only withdrawal activity from the data in your lookup file.

|streamstats count time_window=1m min(amount) AS min max(amount) AS max BY user,location Use a time window of 1 minute to find min and max withdrawals by user.
|where count>1 and min<20 and max>9000 Define your outliers as a minimum withdrawal of less than 20 and a maximum of over 9,000 during at least 2 transactions.
|table _time user action min max location Display the results in a table with columns in the order shown.
|dedup user, location Remove duplicate entries.
|eval min=tostring(round(min, 2),"commas")
|eval max=tostring(round(max, 2),"commas")
Round the minimum and maximum values to two decimals places and add commas for better readability.