The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you see which of your customers use your ATMs most often. For more information, review the use case detecting ATM fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
|sourcetype=<ATM transaction data source>||Search your ATM transaction data.|
||lookup <name of lookup file for ATM user risk scores> user OUTPUT score||
Perform a lookup to get risk scores per user.
If your lookup file does not contain user and score columns, adjust the search to match the names in your lookup.
||stats sum(score) AS Risk_Score count BY user||Sum the risk scores and counts for each user.|
||eventstats avg(count) AS avg stdev(count) BY stdev||Calculate the average count and standard deviation for each user.|
||where count>(avg+stdev*3.5)||Compare the count of users' access to the average count and some multiple of standard deviation of all users, in this example, 3.5.|
||sort - count||Sort the results with the highest transaction account first.|