The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you see when an ATM card is used for a small and then a large withdrawal in rapid succession. For more information, review the use case detecting ATM fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<ATM transaction data source>||Search your ATM transaction data.|
Search only withdrawal activity from the data in your lookup file.
||streamstats count time_window=1m min(amount) AS min max(amount) AS max BY user,location||Use a time window of 1 minute to find min and max withdrawals by user.|
||where count>1 and min<20 and max>9000||Define your outliers as a minimum withdrawal of less than 20 and a maximum of over 9,000 during at least 2 transactions.|
||table _time user action min max location||Display the results in a table with columns in the order shown.|
||dedup user, location||Remove duplicate entries.|
||eval min=tostring(round(min, 2),"commas")
|eval max=tostring(round(max, 2),"commas")
|Round the minimum and maximum values to two decimals places and add commas for better readability.|