Splunk® Business Flow (Legacy)

Admin Manual

Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.

SBF concepts and terminology

The following examples introduce important terminology and concepts in SBF.


In SBF you create a Flow Model, define the fields you want to track and correlate, and explore Journeys. Then, save your analyses as a Flow.

Flow Model

"Flow Model" refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow. The Flow Model contains a repository of events that you are interested in analyzing. In the Flow Model, you define what field names you want to track, and how you want to correlate events. The following components make up a Flow Model definition: a search and the fields that represent one or more Correlation IDs, Steps, and Attributes. The Search scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results. The Flow Model definition determines how SBF identifies and groups related events into ordered sequences called Journeys.


A Flow is a saved view of the analyses and settings you applied to the Flow Model in the Explorer. These include step filters, Journey duration, conversion funnels, and metric summaries. You can create multiple Flows from the same Flow Model. All changes to Flow Models propagate to related Flows. Saving your work as a Flow enables users who do not have knowledge of SPL to interact with and Explore the data.


A Journey contains all the Steps a user or object executes during a process. For example, suppose you create a Flow Model to analyze order system data for an online clothes retailer. A sample Journey in this Flow Model could track an order from time of placement to delivery.


A step is the status of an action or process you want to track. The customer steps for a Journey in the order system Flow model could be: order placed, order shipped, order in transit, order delivered.

Correlation ID

Correlation IDs are the field name that correspond to unique descriptors of events such as user_ID, customer_ID, phone_number, or caller_ID. Splunk Business Flow uses Correlation IDs to identify related events and in the event log and group them into Journeys. Continuing with the same example, a Correlation ID for the order system journey would could be the order_id.


An attribute is an optional component of a Flow Model. An attribute represents additional information you'd like to include in your search, such as location. You can use attributes to filter journeys. For example, you could filter Journeys from the order system Flow Model by the warehouse the item originated from.

Important terminology and concepts in SBF

SBF identifies related events and groups them into ordered sequences called Journeys. The following example walks through how SBF groups events into Journeys and Journeys into the Flowchart.

Event grouping

In this example, you are interested in tracking how customers make purchases on the Buttercup Game Store website. Consider the event log to be a timeline of events generated from a process or system. Each event contains a timestamp, a step, and a field name which correspond to the Correlation ID.

The Correlation ID in this diagram is user_ID and it corresponds to two field values: user123 and user456. Because there are two distinct identities, there are two Journeys. Each Journey contains the respective steps the user took during a period of time. The following diagram shows a high level overview of how SBF groups events into Journeys.

This diagram shows how Splunk Business Flow groups related events into Journeys. The event log lists a series of events from the Buttercup Games Game Store. Each event has a timestamp from when the event occurred, a Correlation ID, and a step. The Correlation ID is the user ID of the customer. In this case, there are three unique user IDs. The step is the action the customer took, such as add to cart, apply coupon, and purchase. Splunk Business Flow groups the events by Correlation ID, in this case, the unique user IDs. There are two Journeys, which correspond to the two User IDs. The Journeys list the corresponding steps in chronological order.

Journey grouping

The Flowchart feature groups a collection of Journeys into a single, ordered sequence of steps. The following diagram represents the Flowchart for the Buttercup Game Store example. This Flowchart contains three Journeys and all of the steps included in those Journeys. The number next to each step reflects the number of Journeys this step appeared in.

This diagram shows how Splunk Business Flow groups Journeys into the Flowchart feature. The Flowchart contains three Journeys and all of the steps included in those Journeys. The flowchart lists all steps from the three Journeys and the frequency of each step.

Last modified on 19 September, 2019
Welcome to Splunk Business Flow   How does the SBF hybrid architecture work?

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters