Splunk® Business Flow (Legacy)

Admin Manual

Acrobat logo Download manual as PDF


Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.
Acrobat logo Download topic as PDF

Understand Notifications in SBF

Learn how SBF leverages the Splunk Enterprise alerting framework so that you can view and manage the scheduled searches associated with your SBF Notifications.

How SBF Notifications leverage the Splunk Enterprise alerting framework

In SBF, you can create a Notification on your Filter Set that notifies you when Journeys in your Filter Set meet your defined trigger conditions. You can create up to two Notifications per Filter Set. In the Notifications tab, you can view the Journeys that triggered the Notification, and see the associated Filter set and Flow. Enable email Notifications to receive an update when a change in Journeys triggers a Notification in your Filter Set.

SBFNotify processes data and runs Filter Set subsearches

When you create a Notification, SBF creates two scheduled searches. The first scheduled search is called SBFNotify_<GUID>. This search is tied to the Flow Model. There is only one SBFNotify_<GUID> per Flow Model. Your GUID maps to the flowModel ID. Learn how to identify the Flow Model ID in View the scheduled searches associated with your Notification.

The SBFNotify_<GUID> scheduled search performs tasks in two phases. In the first phase, SBF runs the Flow Model search that processes your data and groups events into Journeys. In the second phase, SBF runs a subsearch for each Filter Set that has a Notification and sends the results to the _cja_notification index.

As you add more Notifications, the SBFNotify_<GUID> search updates to include the new parameters of the Notification. The SBFNotify_<GUID> scheduled search processes data at the lowest frequency of the Notification associated with the Flow Model.

SBFNotify_Alert monitors the index

Next, SBF creates the the second scheduled called SBFNotify_Alert_<GUID>. This search continuously monitors the _cja_notification index. Each Notification has a corresponding SBFNotify_Alert_<GUID> scheduled search. If the SBFNotify_Alert_<GUID> scheduled search identifies an event that fits the criteria of the Notification, it fires an alert at the schedule you selected.

Your GUID maps to the flowModel ID. Learn how to identify the Notification ID in View the scheduled searches associated with your Notification.

View the scheduled searches associated with your Notification

Follow these steps to view the scheduled searches associated with your Notification.

How to find your Flow Model and notification ID

First, you need to find the Flow Model ID and Notification ID so that you can Identify the scheduled searches associated with your Notifications.

  1. Click Edit on the Flow Model associated with your Notification.
  2. At the end of the URL, the number letter combination that follows flowModel= is your Flow Model ID.
  3. Click the bell icon to access the Notifications page.
  4. Click the name of the Notification.
  5. At the end of the URL, the number letter combination that follows notificationId= is your Notification ID.

Find the scheduled searches associated with your Notification

  • To view the SBFNotify_<GUID> search add app/splunk-business-flow/reports to the URL you use to access SBF.
  • To view the SBFNotify_Alerts_<GUID> search add app/splunk-business-flow/alerts to the URL you use to access SBF. The Flow Model ID is listed first, followed by the Notification ID.

Example

Let's walk through an example to understand how SBF Notifications leverage the Splunk Enterprise alerting framework. Suppose you have a Flow Model named Order System. You create three Flows that map to three warehouses. You add a Notification to each Flow. Although you set Notifications on a Filter Set in a Flow, the Notifications are tied to the base Flow Model. So, as seen in the following diagram, Notifications A, B, and C are all tied to the same Flow Model named Order System.

For this example:

  • Order System flowModel ID=123
  • A Notification ID = 123A
  • B Notification ID = 123B
  • C Notification ID = 123C

So, the scheduled search that corresponds to the Flow Model is named SBF_Notify_123. The scheduled searches that correspond to the Notifications are named: SBF_Notify_Alert_123A, SBF_Notify_Alert_123B, and SBF_Notify_Alert_123C.

Last modified on 24 April, 2020
PREVIOUS
Configure roles and manage access to Splunk Business Flow 		  NEXT
Check Splunk Business Flow status and view incidents

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters