Splunk® Business Flow (Legacy)

User Manual

Acrobat logo Download manual as PDF


Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.
Acrobat logo Download topic as PDF

Identify your Correlation IDs, Steps, and Attributes

"Flow Model" refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow. The Flow Model contains a repository of events that you are interested in analyzing. In the Flow Model, you define what field names you want to track, and how you want to correlate events. The following components make up a Flow Model definition: a search and the fields that represent one or more Correlation IDs, Steps, and Attributes. The Search scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results. The Flow Model definition determines how SBF identifies and groups related events into ordered sequences called Journeys.

The basic recipe for a Flow Model in Splunk Business Flow (SBF) includes a search and one or more Correlation IDs, steps, and attributes. Attributes are optional. The search in the Flow Model scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results.

Correlation IDs and gluing events

The Flow Model uses Correlation IDs to discover unique connections across multiple sources and group relevant events. Correlation IDs are unique descriptors of events such as user ID, customer ID, phone number, or caller ID. Depending on the process you want to track, you may need multiple Correlation IDs to identify all the related events. If you have multiple Correlation IDs, verify that you have gluing events in your data. A gluing event is when two or more Correlation IDs occur in the same event. Splunk Business Flow uses gluing events to discover connections across disparate systems and to also create journeys.

The following diagram shows a sample of events from fictitious call center data. In this example, there are two Correlation IDs: call_from, and caller_id. In the first event, the customer is identified by a phone number, which is associated with the Correlation ID call_from. In the second event, when the call is answered the customer is assigned a caller ID. In the third event, the customer is only identified by the caller ID. The gluing event associates all events with call_from = 000 000 0000 and caller id = 155 as part of the same customer journey.

This diagram shows how Correlation IDs identify connections across systems and group relevant events. The two Correlation IDs in the diagram are call_from and caller_id. The diagram shows a sequence of three events. In the first event, a customer calls into the call center. The event lists the customer's phone number, which corresponds to call_from, the customer_id, the queue number of the call, and the status of the call. In the second event, an agent answers the call. This is the gluing event because it contains both Correlation IDs call_from and caller_id in the same event.  The third event, which only lists caller_id, is identified as part of the same customer journey as the first two events.

Step

The step corresponds to the series of actions an item or person takes in the process that you want to track. Continuing with the same example, the step is the status of the call. In the first event, the call is placed in a queue. In the second event, the call is answered. In the third event, the call is dropped. Status is the step because it captures all action phases in this process.

This diagram highlights the steps in the event log. The event log is the same as in the previous diagram. The steps correspond to the status of the call. In the first event, the call is placed in a queue. In the second event, the call is answered. In the third event, the call is dropped.

Attributes

An attribute is an optional component of a Flow Model. An attribute represents additional information you'd like to include in your search, such as location. Use attributes to filter journeys.

In this example, you can use country_code as an attribute to filter journeys based on the location the customer called from. The customer has country_code = 044, therefore the customer called from the UK.

If your data sources contain more than 100 Attribute fields some fields might not appear in the Flow Model editor.


This diagram highlights the attribute "country_code" in the first event. The customer called from "country_code" = "044", the United Kingdom.

Last modified on 21 August, 2019
PREVIOUS
Terminology and concepts in Splunk Business Flow
  NEXT
Consider how you want to group events into Journeys

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters