Splunk® Business Flow (Legacy)

Get Started with Splunk Business Flow Tutorial

Acrobat logo Download manual as PDF


Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.
Acrobat logo Download topic as PDF

What is a Flow Model?

To analyze your data in SBF, you need to create a Flow Model. "Flow Model" refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow. In the Flow Model, you define what field names you want to track, and how you want to correlate events.

Components that make up the Flow Model definition

The following components make up a Flow Model definition: a search and the fields that represent one or more Correlation IDs, Steps, and Attributes. The Search scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results. The Flow Model definition determines how SBF identifies and groups related events into ordered sequences called Journeys. The following example breaks down the components of the Flow Model definition.

Example

Suppose you are interested in exploring this Journey: a customer adds an item to a cart, calls support, and then places an order. The Flow Model contains events from each data source: weblogs, call center, and order system. Possible correlation IDs for this Journey include the customer ID, and order ID. In the tutorial data, the step action contains all the events related to the user's actions such as sign in, add to cart, and place order.

Flow Model component Example
Search

index= tutorial

Correlation IDs customer_id, order_id
Step action
Attribute country

Write a search for your Flow Model

The Search scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results

Example

In this tutorial, you uploaded a zip file Game_store.zip with three text files in it: call_center.txt , order.txt , and web.txt. These text files contain data from a fictitious online store.


This diagram shows what is inside the tutorial data. There is a zip file called Game_store and inside there are three text files: call_center.txt, order.txt, and web.txt.
When you uploaded the tutorial data in Part 3, you automatically entered the following search.

index = tutorial

This search includes all three text files as sourcetypes. If you used this as a search for a Flow Model, you can explore events across all three sourcetypes.
This screenshot shows the three text files in the tutorial data listed as sourcetypes.

What are Journeys?

A Journey contains all the steps a user or object executes during a process. In this tutorial, you created the Game_store weblogs Flow Model. Then, in the Explorer, Splunk Business Flow stitches together events into individual Journeys based on the Flow Model components. Use the List view to sort Journeys by duration, step count, or sequence or drill down into the details.

Example

The following flowchart shows one customer's Journey from the Game_store weblogs Flow Model. The Journey Details table lists all of the characteristics of the Journey, such as number of steps, attributes like location, and the duration of the Journey.
This screenshot shows the activity log of a customer Journey. The customer creates a new account, adds an item to the cart, applies a coupon, and submits the order.

How Correlation IDs group events into Journeys

Correlation IDs are the field names that correspond to unique descriptors of events, such as user_ID, customer_ID, phone_number, or caller_ID. Splunk Business Flow uses Correlation IDs to identify related events in the event log and group them into Journeys. Continuing with the same example, a Correlation ID for the order system Journey might be the order_id.

Example

The following diagram shows how a Flow Model with correlation IDs call_from,caller_id identifies a connection across events. The correlation IDs reveal that event 1 and 3 correspond to the same person, and therefore to the same Journey.

This diagram shows how correlation IDs identify connections across systems and group relevant events. The two correlation IDs in the diagram are call_from and caller_id. The diagram shows a sequence of three events. In the first event, a customer calls into the call center. The event lists the customer's phone number, which corresponds to call_from, the customer_id, the queue number of the call, and the status of the call. In the second event, an agent answers the call. This event lists both correlation IDs call_from and caller_id in the same event. The third event, which only lists caller_id, is identified as part of the same customer Journey as the first two events.

Event Correlation ID Description
1 call_from A customer is placed in a queue at the call center.
2 call_from ,caller_id The customer is connected to a call center agent and assigned a caller ID.
3 caller_id The call is dropped.


Next

Continue to Create a Flow Model.

Last modified on 01 April, 2020
PREVIOUS
Upload the tutorial data 		  NEXT
Create a Flow Model

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters