Skip to main content
Do you build apps on Splunk or are a Splunk admin? If so, we want to hear from you. Help shape the future of Splunk and win a $35 gift card!
 
 
Splunk Lantern

ATM withdrawal testing

 

The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you see when an ATM card is used for a small and then a large withdrawal in rapid succession. For more information, review the use case detecting ATM fraud.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation
sourcetype=<ATM transaction data source> Search your ATM transaction data.
|search action=withdrawal

Search only withdrawal activity from the data in your lookup file.

|streamstats count time_window=1m min(amount) AS min max(amount) AS max BY user,location Use a time window of 1 minute to find min and max withdrawals by user.
|where count>1 and min<20 and max>9000 Define your outliers as a minimum withdrawal of less than 20 and a maximum of over 9,000 during at least 2 transactions.
|table _time user action min max location Display the results in a table with columns in the order shown.
|dedup user, location Remove duplicate entries.
|eval min=tostring(round(min, 2),"commas")
|eval max=tostring(round(max, 2),"commas")
Round the minimum and maximum values to two decimals places and add commas for better readability.