Identify your Correlation IDs, Steps, and Attributes
"Flow Model" refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow. The Flow Model contains a repository of events that you are interested in analyzing. In the Flow Model, you define what field names you want to track, and how you want to correlate events. The following components make up a Flow Model definition: a search and the fields that represent one or more Correlation IDs, Steps, and Attributes. The Search scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results. The Flow Model definition determines how SBF identifies and groups related events into ordered sequences called Journeys.
The basic recipe for a Flow Model in Splunk Business Flow (SBF) includes a search and one or more Correlation IDs, steps, and attributes. Attributes are optional. The search in the Flow Model scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results.
Correlation IDs and gluing events
The Flow Model uses Correlation IDs to discover unique connections across multiple sources and group relevant events. Correlation IDs are unique descriptors of events such as user ID, customer ID, phone number, or caller ID. Depending on the process you want to track, you may need multiple Correlation IDs to identify all the related events. If you have multiple Correlation IDs, verify that you have gluing events in your data. A gluing event is when two or more Correlation IDs occur in the same event. Splunk Business Flow uses gluing events to discover connections across disparate systems and to also create journeys.
The following diagram shows a sample of events from fictitious call center data. In this example, there are two Correlation IDs: call_from
, and caller_id
. In the first event, the customer is identified by a phone number, which is associated with the Correlation ID call_from
. In the second event, when the call is answered the customer is assigned a caller ID
. In the third event, the customer is only identified by the caller ID
. The gluing event associates all events with call_from = 000 000 0000
and caller id = 155
as part of the same customer journey.
Step
The step corresponds to the series of actions an item or person takes in the process that you want to track. Continuing with the same example, the step is the status of the call. In the first event, the call is placed in a queue. In the second event, the call is answered. In the third event, the call is dropped. Status is the step because it captures all action phases in this process.
Attributes
An attribute is an optional component of a Flow Model. An attribute represents additional information you'd like to include in your search, such as location. Use attributes to filter journeys.
In this example, you can use country_code
as an attribute to filter journeys based on the location the customer called from. The customer has country_code = 044
, therefore the customer called from the UK.
If your data sources contain more than 100 Attribute fields some fields might not appear in the Flow Model editor.
Terminology and concepts in Splunk Business Flow | Consider how you want to group events into Journeys |
This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-
Feedback submitted, thanks!