Splunk® Business Flow (Legacy)

User Manual

Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.

Consider how you want to group events into Journeys

After you identify the process you want to track and the corresponding Flow Model components, consider how you want to group the events into Journeys. When you create a Flow Model, you select each Correlation ID, Step, and Attribute from a list of field names. The assignment of field names as Correlation IDs, steps, and attributes is subjective, and depends on how you want to group related events into Journeys.

For example, say you are interested in tracking the customer workflow for an online store. You want to analyze what products customers purchased, the payment type used, and discover if customers encountered long wait times, payment errors, or other roadblocks on the website. You have the following field names in your data: username, action, location, and order ID. You create a Flow Model and select username as a Correlation ID, action as a step, and location as an attribute. Therefore, you can view the individual customer Journeys by username, based on the actions the customer took, and you can filter the results by location.

Examples

Suppose you are interested in tracking an order system process. In this process, there are two Correlation IDs Order ID and Order line item ID. Order ID corresponds to a unique order submitted by a customer. Order line item ID corresponds to the individual items contained in the order. For example, say you ordered two games from the Buttercup Games online store. Each game is an order line item. Your order has one order ID because you placed one order, and two order line item IDs because you have two order line items.

The following table shows a collection of events from the order system event log. This event log captures the following flow: an order line item ships from a warehouse, the order line item is in transit, then the order is delivered. Each event contains an Order ID and an Order line item ID. When you create a Flow Model, you select one or more Correlation IDs. Depending on how you want to structure your Journeys you can use either or both Order ID and Order line item ID as Correlation IDs.

This table also includes information about which warehouse the order shipped from. You can consider the warehouse information an attribute. An attribute is an optional component of a Flow Model. You can use attributes to filter your results.


There are five columns with six rows of data. The first column lists the timestamp of the event. The second column lists the steps, such as "order placed," "order line item shipped," and "order completed." The third column corresponds to "Order ID," which has two field values "order1" and "order2." The third column corresponds to the field name "Order line item ID," which has three field values "oli1.1", "oli1.2," and "oli2.1." The fifth column shows the Warehouse where the item shipped from, either "wh1" or "wh2."


Order ID

The following examples illustrate how different combinations of Correlation IDs affect event grouping. Assume that the search in the Flow Model is the same for all examples.

In this example, the events are grouped by Order ID, which has two field values. Therefore, there are two Journeys: one for each field value of Order ID. The following table shows the field name and values of the correlation ID and attribute used in this example.

Field name Field values
Order ID order1, order2
Warehouse wh1, wh2


This diagram shows how events are grouped based off of one Correlation ID, "order ID." "Order ID" has two field values, "order1" and "order2", therefore there are two Journeys. The steps in the event log are sorted by Correlation ID. The first Journey corresponds to "order1". All of the steps in the event log that contain "order1" are listed in chronological order. The steps are: order line item shipped, order line item in transit, order line item shipped, and order line item delivered. Next to each step are the associated Correlation IDs that appear in the event.

If you add Order line item ID as an attribute, the Journeys retain the same structure. When you add an attribute to a Flow Model, you include extra information that you can use to filter your results. In this case, you can view complete orders, and then filter by order line item.


This diagram has "order ID" as the Correlation ID, and "order line item ID" as an attribute. There are two field values for "order ID", therefore there are two Journeys. In the order1 journey, the step order line item in transit is associated with oli1.1 and order line item shipped with oli1.2. In the order2 Journey, the step order line item in transit is associated with oli2.1

Order ID and Order line item ID

In this example, the events are grouped by both Order ID and Order line item ID. The Flow Model uses gluing events to identify related events and group all subsequent and preceding steps with the same Correlation IDs into a Journey. When order1 and oli1.1 appear in the same event, all steps with either order1 or oli1.1 are grouped into the same Journey. There are three unique combinations of Order ID and Order line item ID, therefore there are three Journeys.

The following table shows the field names and values of the correlation IDs and attribute used in this example.

Field name Field values
Order ID order1, order2
Order line item ID oli1.1, oli1.2, oli2.1
Warehouse wh1, wh2


This diagram shows how events are grouped when you have two correlation IDs. In this example, the Correlation IDs are "order ID" and "order line item ID." "Order ID" has two field values, "order1" and "order2" and order line item has three field values: "oili1.1," "oli1.2," and "oli2.1." There are three Journeys. The first Journey contains all steps that have oli1.1 and order1. The second Journey contains all steps that have oli2.1 and order1. The third Journey contains all steps that have order 2 and oli2.1.
Suppose you notice an increase in average Journey duration. To investigate, you can add warehouse as an attribute and view all Journeys that pass through each warehouse.


This diagram has order ID and order line item ID as Correlation IDs and warehouse as an attribute. The Journeys have the same structure as the previous diagram. In the first Journey, the step order line item shipped for is associated with the attribute wh1 and oli1.1. In the second Journey, the step order line item shipped is associated with wh2 and oli1.2. In the third Journey, the step order line item shipped is associated with oli2.1 and wh1.

Order line item ID

In this example, you are interested in tracking individual order line items. There are three order line items and therefore three Journeys. The following table shows the field name and values of the correlation ID and attribute used in this example.

Field name Field values
Order line item ID oli1.1, oli1.2, oli2.1
Warehouse wh1, wh2


This diagram shows how events are grouped by Correlation ID order line item ID. There are three order line items, therefore there are three Journeys. The first Journey is for oli1,1 and has the following steps: order line item shipped, order line item in transit, and order line item delivered. In the second Journey, there is only one step, order line item shipped, associated with oli1.2. In the third Journey, for oli2.1, the steps are order line item shipped, and order line item in transit.

Suppose you want to compare the transit duration of order line items. An order, such as order1, is not complete until all order line items are delivered. If you add order ID as an attribute, then you can view line items by order and compare the duration of the order line item Journeys.
This diagram has Correlation ID order line item ID, and attribute order ID. The Journeys have the same structure as the previous diagram. In the first Journey, all steps are associated with order 1. In the second Journey the step, order line item shipped, is also associated with order 1. In the third Journey, all steps are associated with order2.

Last modified on 27 September, 2019
Identify your Correlation IDs, Steps, and Attributes   Write a search for a Flow Model

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters