Splunk® App for Fraud Analytics

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Data model definitions

Use the following tables for information on the various fields in the fraud related data models:

Fraud account data model

Name Description Example Format Source
acc_age Age of the account (in days) 107 Number Extracted
acc_holder_dob Date of birth 05/25/1995 String Extracted
acc_holder_first_name FIrst name John String Extracted
acc_holder_last_name Last name Smith String Extracted
acc_holder_middle Middle initial P String Extracted
acc_status Account status Approve String Extracted
addr_home_city City of home address Seattle String Extracted
addr_home_state State of home address Washington String Extracted
addr_home_zip Zip Code of home address 92017 Number Extracted
addr_home_zip_lat Latitude of zip code String Lookup
addr_home_zip_lon Longitude of zip code String Lookup
deviceid Device identifier
direct_deposit Destination account for funds 12345678 Number Extracted
email Email address john.smith@gmail.com String Extracted
email_domain_root Email address domain (root) gmail String Eval Expression
email_domain_tld Email address domain (top level) gmail.com String Eval Expression
email_normalized Email address (Includes the name) johnsmith@gmail.com String Eval Expression
host Host of the data source String Inherited
http_accept String Extracted
http_accept_language String Extracted
http_content_type String Extracted
http_method API method (Post, Get, and so on) String Extracted
http_referer Referring URL String Extracted
http_user_agent Web browser identifier Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393 		String Extracted
mmn Mother's maiden name Smith String Extracted
occupation Occupation Janitor String Extracted
password Password Hash of pwd String Eval Expression
phone_home Home phone number 209-121-2398 String Extracted
r_10 Deprecated Number Eval Expression
source Source of the data source String Inherited
sourcetype Sourcetype of the data source String Inherited
src_ip IP address logged for the event 123.10.10.234 IPv4 Extracted
src_ip_City City corresponding to the IP address Los Angeles String Geo IP
src_ip_Country Country corresponding to the IP address United States String Geo IP
src_ip_lat Latitude corresponding to the IP address String Geo IP
src_ip_lon Longitude corresponding to the IP address String Geo IP
src_ip_Region State or province corresponding to the IP address Florida String Geo IP
ssn Social security number 172-90-9201 String Extracted
uniqueid Credit, benefits application ID, or permanent user ID that supersedes SSN or username String Extracted
username Username barneysmith String Extracted


Fraud web data model

Name Description Example Format Source
accept_language Language accepted by the browser String Extracted
action String Extracted
actions String Extracted
bill_payments_num Number Extracted
bytes_in Number Extracted
bytes_in_total Number Extracted
bytes_out Number Extracted
bytes_out_total Number Extracted
City String Extracted
Countries_num Number Extracted
Country String Extracted
date_hour Number Extracted
date_mday Number Extracted
date_month String Extracted
date_wday String Extracted
date_year Number Extracted
date_zone Number Extracted
deposit_checks_num Number Extracted
errors Number Extracted
host String Inherited
http_accept String Extracted
http_accept_language String Extracted
http_content_type String Extracted
http_method API method (Post, Get, and so on) String Extracted
http_referer Referring URL String Extracted
http_user_agent Browser identifier String Extracted
http_user_agents_num Number Extracted
ip_16_subnet String Extracted
ip_16_subnets String Extracted
ip_16_subnets_num Number Extracted
ip_subnet_16 String Extracted
ip_subnet_24 String Extracted
is_aggregator Number Extracted
languages String Extracted
logged_in Number Extracted
logins_success_num Number Extracted
money_movements_num Number Extracted
r_10 deprecated Number Eval expression
r_100 Deprecated Number Eval expression
r_1000 Deprecated Number Eval expression
r_10000 Deprecated Number Eval expression
r_100000 Deprecated Number Eval expression
r_1000000 Deprecated Number Eval expression
Region String Extracted
risk_exposure Number Extracted
risk_exposure_r Number Extracted
risk_level Number Extracted
risk_level_r Number Extracted
screen String Extracted
screens String Extracted
security_code_requests_num Number Extracted
session_duration Number Extracted
session_events_num Number Extracted
session_id Web session ID String Extracted
source String Inherited
sourcetype String Inherited
src_ip Client IP address 10.10.10.20 String Extracted
src_ips_num Number Extracted
status Web page status 400, 200, etc Number Extracted
trade_securities_num Number Extracted
uri String Extracted
uri_path String Extracted
username Username barneysmith String Extracted
username_ex String Extracted
username_tried String Extracted
usernames String Extracted
usernames_num Number Extracted

Fraud anti money laundering data model

The data model for anti money laundering use cases.

Name Description Example Format Source
account Unique identity of an account 020-68723985 String Extracted
amount Transfer amount in default currency 5000.00 Number Extracted
amount_usd Transfer amount in USD 2500.00 Number Extracted
country Location of an account: Country USA String Extracted
currency Currency of a transfer US Dollar String Extracted
direction Direction of a transfer In, Out String Extracted
oth_account Unique identity of other account 650892343-32 String Extracted
oth_bank Bank ID of other account 0375 String Extracted
oth_country Location of other account: Country Italy String Extracted
oth_currency Default currency of other account Euro String Extracted
payment_format Type of payment Wire transfer String Extracted
date_* date_* variables calculated from _time String, Number Auto Calculated

Fraud unemployment insurance data model

The data model for unemployment insurance fraud use cases. When looking at fraud detection in unemployment insurance, build a lookup file that aggregates statistical information on social security numbers and bank accounts over a period of time. See Fraud unemployment insurance data model lookups for more information.

Name Description Example Format Source
ADDR_ZIP ZIP code of claimant address 07675-1211 String Extracted
data_source Source of transaction CERTS String Extracted
date_* date_* variables calculated from _time String, Number Auto calculated
email_norm Normalized email address alex@buttercupgames.com String Extracted
IP_City IP address location: City New York String Extracted
IP_Country IP address location: Country USA String Extracted
IP_Region IP address location: Region New York String Extracted
IPADDRESS IP Address 123.45.6.78 String Extracted
NAME Claimant name John Smith String Extracted
SSN Social Security number 123-45-6789 String Extracted
SSN_NUM Social Security number, numbers only 123456789 String Extracted
TEL_NO Telephone number of a claimant 201-123-4567 String Extracted
accounts_num Number of distinct bank accounts associated with the Social Security number 5 Number Lookup
acct_shared_with Number of distinct Social Security numbers the bank account is shared with 4 Number Lookup
emails_norm Number of distinct emails given that email normalized is mapped to 7 Number Lookup
risk Text String Lookup

Medicine activity data model

The data model used for fraud detections over controlled substances and opioids in hospital environments. These fields are used in detections and within investigative dashboards. The actual data model might contain more fields for future detections and more advanced use cases.

Name Description Example Format Source
drug_control_level Level describing controlled substance 3 Number Extracted
user_id Hospital employee ID 2139846543 String Extracted
user_department Name of department Pharmacy String Extracted
user_title Job title of the user. Registered nurse String Extracted
med_order_id Document to administer medication 123098657 String Extracted
witness_id ID of a witness 5132-780946 String Extracted
transaction_name Name of transaction Issue: Standard String Extracted
transaction_type Type of transaction I-UN String Extracted
transaction_subtype Subtype of transaction I String Extracted
patient_id ID of a patient 435766543 String Extracted
drug_name_short Short name of medication OXYCODONE String Extracted
drug_name_long Long name of medication oxyCODONE HCL 10MG TABLET String Extracted
drug_is_opioid If it is an opioid or controlled substance 1 Number Extracted
witness_department Department of witness PWC-Psych String Extracted
witness_title Title of witness Staff nurse String Extracted
Last modified on 16 November, 2023
PREVIOUS
Workflow actions in Splunk App for Fraud Analytics 		  NEXT
Interactive search panel visualization commands

This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.2.4

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters