Splunk® Business Flow (Legacy)

Admin Manual

Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.

Customize default Step and Correlation ID values in commands.conf

In Splunk Business Flow (SBF), the maximum Step count and Correlation ID value matches have default settings that help optimize search performance.

Max Step count per Journey

The maximum Step count per Journey is 500 steps. If you have a Journey that contains more than 500 steps the Journey is split into multiple Journeys based off of the 500 step maximum.

Max Correlation ID Correlation ID value matches

Typically, a Correlation ID value corresponds to only one Journey that contains all the actions associated with the unique value. For example, suppose you select the Correlation ID userID. SBF scans and groups events with the same unique value such as user123 together in the same Journey. If you select a field that is not unique such as country, SBF tries to group all steps with the same field generic field value such as usa in the same Journey. Many Journeys can contain a generic field value like usa. If you select a generic correlation ID value, SBF will create a maximum of 30 Journeys for Correlation ID value usa. Running searches with large number of Correlation ID value matches can decrease search performance. The max Correlation ID value matches helps to improve search performance.

Example commands.conf configuration

In this example, the maxsteps is set to 500 and the maxcorrelationmatches is set to 30.

[journeyv2]
command.arg.1 =maxsteps=500 
command.arg.2 =maxcorrelationmatches=30
[journeyv2py]
command.arg.1 =maxsteps=500
command.arg.2 =maxcorrelationmatches=30

Customize the default settings

To change the default number of steps permitted in a Journey, you need to create the commands.conf file.

You must have SBF version 2.0.0 or later to change the max Journey step count default setting.

Perquisites

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps

  1. Create a commands.conf file in this file path $SPLUNK_HOME/etc/apps/splunk-business-flow/local/commands.conf
  2. Copy the following stanza into the commands.conf file with your maximum step value.
    [journeyv2]
    command.arg.1 = maxsteps=<YOUR VALUE>
    command.arg.2 = maxcorrelationmatches=<YOUR VALUE>
    [journeyv2py]
    command.arg.1 = maxsteps=<YOUR VALUE>
    command.arg.2 = maxcorrelationmatches=<YOUR VALUE>
    
  3. Save the commands.conf file.
  4. Restart your Splunk instance.

Disable the default settings

Follow these steps to disable the default settings. Perquisites

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps

  1. Create a file commands.conf file in this file path $SPLUNK_HOME/etc/apps/splunk-business-flow/local/commands.conf
  2. Copy the following stanza into the commands.conf file with your maximum step value.
    [journeyv2]
    command.arg.1 = maxsteps=0
    command.arg.2 = maxcorrelationmatches=0
    [journeyv2py]
    command.arg.1 = maxsteps=0
    command.arg.2 = maxcorrelationmatches=0
    
  3. Save the commands.conf file.
  4. Restart your Splunk instance.
Last modified on 01 April, 2020
Check Splunk Business Flow status and view incidents  

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters