TIPS & TRICKS

Announcing the Splunk Essentials for the Financial Services Industry App

Splunk and its suite of products have always been at the forefront for solutions that help the IT and security industries. Moreover, many of the problems that Splunk solves go beyond traditional IT/security use cases and positively impact business analytics along with the vertical markets they serve.

With that in mind, in the tradition of the Splunk Essentials series—starting with the first Essentials app, Splunk Security Essentials—we would like to formally announce the Splunk Essentials for the Financial Services Industry (FSI) app available on Splunkbase. This is our first Essentials app that focuses on a vertical market. FSI users of Splunk will be able to choose from a variety of examples that cover use cases ranging from consumer banking to trading to brokerages.

What is Splunk Essentials? Splunk Essentials are a series of free learning apps on Splunkbase created by Splunkers to teach users how to address use cases with advice, relevance, sample searches using the Search Processing Language (SPL) with included sample data, and screenshots for relevant content. No new data is indexed with this app without the user's consent and all examples are self-contained with their own sample data that's input through a Splunk Enterprise inputlookup command. A use case in Splunk Essentials has a common task to monitor or analyze and it contains multlple examples that help actualize the use case.

Let's get started with the Splunk Essentials for FSI app, for which the first release ships with 15 use cases covering 94 examples.

Essentials for FSI

After downloading the app and installing it on a standalone machine or a Splunk search head, the app is ready to go. The introduction page contains all the use cases.

We've broken down the use cases to three themes.

Consumer Banking Fraud

  • ATM Fraud
  • Wire Transfer Fraud
  • Credit Card Fraud

For Fraud, you'll notice that there are five examples per use case as this is just an introduction to the topic. Fraud usually occurs in consumer banking when an account is taken over either with credentials and/or access to cards in an illegal manner. Insider threat could also lead to fraud. Keep in mind that these examples indicate that fraud may have occurred due to unusual behavior, but nothing is definite as there be legitimate reasons why the behavior was present. These use cases are here to get the user started on the topic. More examples will be added in a future release.

The next theme is compliance. There are two use cases with examples for compliance.

Compliance

  • MiFID
  • Bank Account Compliance

MiFID is a compliance standard in the European nations to ensure that trades get the best possible execution pricing with multiple exchanges among the other things it covers. For Splunk, it usually means making sure that all hosts involved in trading systems have their time settings within a tolerance level of exact time. Wrong time settings could lead to incorrect trade execution and the examples cover this use case.

For Bank Account Compliance, the use case involves multi-channel banking in which after a customer performs a banking transaction, all their accounts with the bank are searched upon with reference data (Splunk lookups) to see if the customer had issues such as negative account balances, dormant accounts, too many accounts, etc. This not only helps the customer with alerts, but it also helps in future audits to stay within the rules that the bank establishes for itself.

The third theme for this Essentials app involves statistics or analytics that can be defined with time series data. In Splunk, most of the time this is done as soon the data is indexed—which is near-real-time—as opposed to other solutions which take an ETL approach for unstructured machine data and can take minutes to hours before results are tabulated. The data sources for these use case usually involve proprietary application log files.

Analytics

  • Bitcoin - statistics and tracing of bitcoin logs. Use Bitcoin Observer for your data.
  • FIX - explains how this obscure protocol for trades can be made human readable allowing for many different use cases. Use the translatefix command for your data.
  • Transaction Statistics - Performs a variety of analytics for a hypothetical four stage transaction including calculating durations and intra-transaction durations.
  • Trade - Where is it? - traces trade data based on common IDs across systems. With trade data, analytics follows.
  • Payment Response - Does a request for payment get a response based on common IDs? Statistics for responses are part of this use case, including examples for hypothetical
    SLA tracking.
  • New User Login - after a new user registers for your site, what is the back end experience for the user the first time they login? Do they get denied or have bad end to end response times? What's the outliers?
  • ATM Statistics - Analytics on aggregate ATM usage
  • Wire Transfer Statistics - Analytics on aggregate wire transfers
  • Credit Card Statistics - Analytics on credit card usage split by sub-contractors issuing cards.
  • New Credit Limit - Analytics on customer approved or denied requests for new credit limits

Now that we've listed the use cases, let's visit a use case to see how to use the app.

Use Cases

Click on Wire Transfer Fraud from the Introduction page and you'll see all its examples. Examples are broken down by how they fit in the Splunk customer journey for operational intelligence. Splunk OI has four levels and examples are placed in one of the levels. The higher the level, the more operational value is obtained.

Let's click on Wire Transfer Fraud Multiple Client IPs. This example shows users, who initiate wire transfer requests from multiple client IPs in less than one minute, which may indicate fraud.

As you notice, each example has a description—why is this important, how to implement, and sample search. The examples also belong to categories used to filter in the previous screen. If you expand the Show Search and click on Show SPL, you'll get a commented description for the sample Splunk search, so that that you can learn how to use this search for your own use. All single search examples in this app have this capability.

Once the sample data search is executed, you can look at the results towards the bottom of the page.

The nature of these results will adjust to outliers, tables, charts, or multiple reports depending on the example. In this example, we see that customer Vera has initiated two wire transfers using different IP addresses in the same minute. This could be fraud. Now, not all examples are outliers. Let's look at this self-explanatory example that shows credit card response time statistics split by subcontractors.

As you can see, the examples vary, but hopefully, they all educate.

Bookmarks

The framers of the Essentials Series created a nice feature that allows you to bookmark an example so that it can visited later or called out for other users of the Spunk search head to see. To use it, click on the little box next to any example that enables a bookmark in the examples screen for a use case. Then from the top menu, you can navigate to your bookmarks.

There are some advance uses for these bookmarks, such as involving the use case example in a workflow for your own implementation, but for now, let's try to bookmark use case examples that are interesting.

Conclusion

Hopefully, this Essentials app shows some useful ideas for using Splunk in FSI. As I mentioned, more examples will come out in a future release. Click on as many examples as you wish to find something that may be a nugget for your deployment. If you are not sure on how to use a page, each page in the Essentials app has a tour button on the top right.

I would like to thank Splunkers Domnick Eger and David Veuve for their support for the Splunk Essentials series. Happy Splunking.

P.S. The Splunk Essentials for FSI app will be shown at Money 20/20 in Las Vegas this week, October 21-24, 2018. Visit us in the Splunk booth #2269.

Nimish Doshi
Posted by

Nimish Doshi

Nimish Doshi is a Principal Systems Engineer with Splunk and has been active on Splunkbase content creation and writing Splunk blogs entries for a number of years.

 

Join the Discussion