Splunk Essentials for the Financial Services Industry App, or how Splunk enters the finance analytics market

    Splunk is usually associated with IT and security analytics solutions. This is not accidental, since many add-ins and applications are focused on these areas.
    But, in addition, Splunk is able to solve issues that go beyond traditional IT and IS cases, for example, related to business analytics. And there are examples of solutions not only for common cases that do not depend on the specifics of the business, but also for specific industries, in particular, for the financial services industry, which we will discuss under the cut.

    As part of this article we will talk about the new application Splunk Essentials for the Financial Services Industry App (FSI). This is the first Essentials application that focuses on the vertical (ie industry) market and covers cases from commercial banks to brokerage companies.

    What is Splunk Essentials?

    Splunk Essentials is a series of free educational applications created to teach users how to handle their data and get value from them. The application deals with specific practical cases: data sources, SPL requests, screenshots, and so on.

    The first version of Splunk Essentials for FSI presents 15 cases, which are illustrated with 94 examples. Consider this application in more detail.

    Essentials for FSI

    The application can be downloaded on Splunkbase, and then installed either on a stand-alone machine, or on Search Head, if you have a distributed architecture. After that, the application is immediately ready for work, it does not require additional settings and downloads, since all the data and directories are already in the application.

    The main page of the application contains all use cases with their description.

    We divided all cases into three topics:

    1. Bank fraud
    2. Compliance
    3. Analytics

    Commercial Bank Fraud

    For bank fraud in the annex are 3 sections:

    • ATM fraud
    • Money Transfer Fraud
    • Credit Card Fraud

    In each case at the moment there are five basic examples, but in the future they will be expanded. Since fraud usually occurs in banks that work with individuals, when account data is compromised or access to accounts or cards is carried out illegally, examples are based on these events.


    • MiFID
    • Compliance with banking requirements

    MiFID is a directive developed by the European Union that is necessary for the implementation of the plan developed by the European Union for creating a regulated single market for financial instruments. The purpose of this document is to regulate operations on the European Exchange, while providing full-scale protection for exchange players and other participants in the exchange.

    In Splunk, MiFID examples are based on the fact that all hosts participating in trading systems have their own time settings, but they must be within the limits of tolerance from the exact time, and incorrect time settings may lead to incorrect execution of the transaction.

    In the section on compliance with the requirements of banking services are examples for the process of multi-channel banking services. The logic of work is as follows: after a client performs a banking operation, the record of his operation falls into Splunk, is supplemented with customer data from the directory and is given the opportunity to find out if the client has problems such as negative balance of accounts, inactive accounts, too many bills, etc. This will not only help with sending notifications to the client, but will also enable the bank to conduct an audit using the history of operations and the state of accounts, which will allow monitoring the fulfillment of requirements and rules that the bank sets for itself.


    The third topic covered in this application is statistics or analytics. In Splunk, analytics can be built as soon as data is indexed into the system, which means that the result can be obtained almost in real time, unlike other solutions that use the ETL approach for unstructured machine data and processing can take up to several hours. The data sources for these cases mainly include application logs.

    The following sections can be attributed to analytics:

    • Bitcoin - statistics and tracking of bitcoin logs. There is also a separate application for Bitcoin analytics .
    • Transaction Statistics - analytics for a hypothetical four-stage transaction, which includes the calculation of the total duration and duration of each phase of the transaction, etc.
    • Trade - Where is it? - tracks data on trading operations based on common identifiers in different systems.
    • Payment Response - Does a payment request receive a response based on common identifiers? In this case, there is the construction of statistics for answers, as well as examples for a hypothetical tracking of the SLA.
    • New User Login - what experience with the service does the user get after the first login? Was he somewhere denied access to any pages or did he meet with a long response time?
    • ATM Statistics is an analyst on the use of ATMs.
    • Wire Transfer Statistics is an analyst on bank transfers.
    • Credit Card Statistics - analyst on the use of credit cards
    • New Credit Limit - analyst on approved or rejected requests to change credit limits.

    Now that we have listed all the use cases, let's look at a specific example to learn how to use the application.

    How to use the application?

    Click on “Wire Transfer Fraud” on the “Introduction” page , and you will see all the examples of detecting money transfer fraud.

    The examples are divided into 4 levels, which Splunk highlights in the process of operational analytics. The higher the level, the more complex the example that can bring more value. At the moment, most of the examples are presented for the first two levels, but the application will be updated and soon, we hope that for each case all 4 levels will be revealed.

    Next, click on Wire Transfer Fraud Multiple Client IPs . This example shows users who initiate requests for transfers from multiple client IP addresses in less than one minute. Such behavior may indicate fraud.

    As you can see, in each example there is a description of why it is important, how to implement and build a search query. If you expand Show Search and click Show SPL , you will receive a commented description of the SPL query that will help you understand how to use this search for your own tasks. All sample search queries in this application have this feature.

    After performing a search, you can see the results at the bottom of the page.

    In this example, we see that the client in one minute made 2 money transfers using different IP addresses.

    Of course, not all examples in the app are based on outliers or abnormal behavior. Let's look at an example that shows credit card response time statistics.


    The creators of Essentials applications have created a nice feature that allows you to add an example to your bookmarks so that you can easily view it later or show other users that this example seemed interesting to you. To do so, you need to click on the small checkbox next to the name of any example. Then from the top menu you can go to your bookmarks.

    Advanced users can use these bookmarks to research on their own data.


    We hope that the Splunk Essentials application will give you some useful ideas for using Splunk in the financial industry. As we have already mentioned, in the next releases of the application new examples will appear, but already those that are at the moment cover many problematic issues in the use of machine data for finance.

    You can download the application from the site SplunkBase .

    If you still have not tried Splunk, then it's time to start, the free version up to 500MB per day is available to everyone. And if you have questions or problems with Splunk - you can ask them to us , and we will help.

    We are the official Premier Splunk Partner .

    Also popular now: