Splunk® Business Flow (Legacy)

User Manual

Acrobat logo Download manual as PDF


Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.
Acrobat logo Download topic as PDF

Terminology and concepts in Splunk Business Flow

The following sections introduce important terminology and concepts in Splunk Business Flow (SBF).

Flow Model

"Flow Model" refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow. The Flow Model contains a repository of events that you are interested in analyzing. In the Flow Model, you define what field names you want to track, and how you want to correlate events. The following components make up a Flow Model definition: a search and the fields that represent one or more Correlation IDs, Steps, and Attributes. The Search scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results. The Flow Model definition determines how SBF identifies and groups related events into ordered sequences called Journeys.

Flow

A Flow is a saved view of the analyses and filter settings you applied to the Flow Model in the Explorer. These filter settings include step filters, Journey duration, conversion funnels, and metric summaries. You can create multiple Flows from the same Flow Model. All changes to Flow Models propagate to related Flows. Saving your work as a Flow enables users who do not have knowledge of SPL to interact with and Explore the data.

Journey

A Journey contains all the Steps that a user or object executes during a process. For example, suppose you create a Flow Model to analyze order system data for an online clothes retailer. A sample Journey in this Flow Model might track an order from time of placement to delivery.

Step

A Step is the status of an action or process you want to track. For an order system Flow Model, the steps in a Journey might consist of the order placed, the order shipped, the order in transit, and the order delivered.

Path

In SBF, a path is the span between two steps in a Journey. Suppose you have a Journey with the following steps: A, B, C, D. You can define a path two ways: the span between two consecutive steps, or the span between one step eventually followed by another step. For example, you can select both the span between A and B as a path, or A and D.

Correlation ID

Correlation IDs are the field names that correspond to unique descriptors of events, such as user_ID, customer_ID, phone_number, or caller_ID. Splunk Business Flow uses Correlation IDs to identify related events in the event log and group them into Journeys. Continuing with the same example, a Correlation ID for the order system Journey might be the order_id.

Attribute

An attribute is an optional component of a Flow Model. An attribute represents additional information you'd like to include in your search, such as location. You can use attributes to filter journeys. For example, you might filter Journeys from the order system Flow Model by setting the warehouse field name as an Attribute to see what warehouse an order originated from.

Concepts

SBF identifies related events and groups them into ordered sequences called Journeys. The following example walks through how SBF groups events into Journeys and Journeys into the Flowchart.

How SBF groups events into Journeys

In this example, you are interested in tracking how customers make purchases on the Buttercup Games website. Consider the event log to be a timeline of events generated from a process or system. Each event contains a timestamp, a step, and a field name that correspond to the Correlation ID.

The Correlation ID in the following diagram is user_ID and it corresponds to two field values: user123 and user456. The two distinct identities create two different Journeys. Each Journey contains the steps that the user took during a period of time. The following diagram shows a high-level overview of how SBF groups events into Journeys:

This diagram shows how Splunk Business Flow groups related events into Journeys. The event log lists a series of events from the Buttercup Games Game Store. Each event has a timestamp from when the event occurred, a Correlation ID, and a step. The Correlation ID is the user ID of the customer. In this case, there are three unique user IDs. The step is the action the customer took, such as add to cart, apply coupon, and submit. Splunk Business Flow groups the events by Correlation ID, in this case, the unique user IDs. There are two Journeys, which correspond to the two User IDs. The Journeys list the corresponding steps in chronological order.

How SBF groups Journeys in the Flowchart

The Flowchart feature groups a collection of Journeys into a single, ordered sequence of steps. The following diagram represents the Flowchart for the Buttercup Games website example. This Flowchart contains three Journeys and all of the steps included in those Journeys. The number next to each step reflects the number of Journeys this step appeared in.

This diagram shows how Splunk Business Flow groups Journeys into the Flowchart feature. The Flowchart contains three Journeys and all of the steps included in those Journeys. The flowchart lists all steps from the three Journeys and the frequency of each step.

Last modified on 18 September, 2019
PREVIOUS
Welcome to Splunk Business Flow 		  NEXT
Identify your Correlation IDs, Steps, and Attributes

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters