Splunk® Business Flow (Legacy)

User Manual

Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.

Create a Flow Model

In SBF, you need to first create a Flow Model. "Flow Model" refers to a grouping of discrete information which represents a transaction, session, or other business process that is configured within Splunk Business Flow. When you create a Flow Model you validate that the Flow Model contains the repository of events that you want to analyze.

Create a Flow from a Flow Model to begin your analysis and gain access to Filter Sets and Notifications. You can create multiple Flows from the same Flow Model. Creating a Flow enables users who do not have knowledge of SPL to interact with and explore the data.

What you need to know before you create a Flow Model

Before you create a Flow Model, you need to determine your Flow Model definition. The following components make up a Flow Model definition: a search and the fields that represent one or more Correlation IDs, Steps, and Attributes. The Search scans the event logs, transforms or extracts events based on the specifications of the search, and then returns the results. The Flow Model definition determines how SBF identifies and groups related events into ordered sequences called Journeys. If you are unfamiliar with what field names correspond to your Correlation IDs, Step, and Attributes, see Identify your Correlation IDs, Step, and Attributes.

Write or add a search

When you create a Flow Model you can write a search, or you can add a saved search, table dataset, or data model. If you do not know how to write a search for your Flow Model, see Write a search for a Flow Model.

Restrictions

Some searches are not permitted in SBF. For more, see Risky searches in SBF in the Troubleshooting topic.

If you want to combine Flow Models, your Flow Models can contain only streaming commands. The Combine Flow Models feature generates a search that starts with the multisearch command. Any Flow Model you wish to combine using the Combine Flow Models feature must adhere to the requirements of the multisearch command. For more, see Multisearch in the Splunk Enterprise Search Reference.

To add a saved search in SBF, you must save the search in the SBF App: Splunk Business Flow in searches, reports, and alerts.

Consider the visibility of your Flow Model

Setting a Flow Model visibility to Shared enables the ability to save and share Flows with users in your organization. Shared Flow Models count toward the Flow Model limit listed in your Splunk Business Flow license. Set Flow Models to Private for testing and development. Private Flow Models do not count toward the Flow Model usage. You can't create Flows from a Private Flow Model. If you set a Flow Model to Private after you create Flows, you cannot access the dependent Flows. The sbf_set_visibility_flow_model capability allows users to set the visibility of a Flow Model from Shared to Private and the reverse.

In this tutorial you set the Flow Model to Shared so that you can create a Flow.

Create a Flow Model

Follow these steps to create a Flow Model.

Define your Flow Model

After you familiarize yourself with your data and determine your Correlation IDs, Step, and Attributes you can create a Flow Model.

  1. In SBF, click the Flow Model icon to open the Flow Models page
  2. Click the New Flow Model button.
  3. Enter a name.
  4. (Optional) Enter a description.
  5. Set the visibility of your Flow Model to either Private or Shared.
  6. Enter a search.
    (Optional) You can add a saved search, table dataset, or data model.
  7. Click Save.
  8. Select a field name under Correlation IDs.
    You can select multiple Correlation IDs.
  9. Select a field name under Step.
    You can only have one Step in a Flow Model.
  10. (Optional) Select the field name under Attributes.
    You can select multiple Attributes. Attributes are optional.
  11. Select a sample size.
    Select the sample size of events you want to search. Increase the sample size to view more events. Decrease the sample size to reduce search time.
  12. Select a Max Duration .
    The Max Duration determines how events are grouped into Journeys. All events that contain the same Correlation ID that took place within the Max Duration, starting with the first occurrence of the Correlation ID are grouped into the same Journey.
  13. Click Save.

Validate your Flow Model

Next, validate that your Flow Model definition contains all the steps you are interested in tracking. Change the mode to Complete Mode to view more Journey results.

Change the visibility of your Flow Model

After you create a Flow Model you can change the Flow Model visibility from to Private or Shared and the reverse.

Prerequisite
In order to change the visibility of a Flow Model, you must be an admin or a member of the sbf_modeler role, or you must have the sbf_set_visibility_flow_model capability.

Steps

  1. In SBF, click the Flow Model icon to open the Flow Model page.
    • To set a Flow Model to Private, select Private under visibility.
    • To set a Flow Model to Shared, select Shared under visibility.

Tutorial

The following tutorial walks through how to add a Flow Model in SBF. This tutorial use data from the fictitious Buttercup Games Store. The Buttercup Games Store dataset has three data sources: web-6.txt, order.txt, and call-center.txt.

Suppose you are a business analyst at the fictitious Buttercup Games Store. The Buttercup Games company launched a coupon campaign for a flash sale on their website. You want to analyze the effectiveness of the coupon campaign, and track what customers purchase by geographical region. The process you are interested in occurs on the website, therefore you are only need one data source: web-6.txt. The data spans from July 31 to August 2, 2018.

You already identified the Correlation ID, Step, and Attribute for this Flow Model and wrote a search in the Write a search for a single data source tutorial.

Search Correlation ID Step Attribute

index ="tutorial" sourcetype ="web-6"

customer_id action country,product

Prerequisite
If you did not complete the Getting Started Tutorial, download the Game_store.zip file. Do not uncompress the file. To upload the Game Store data into the Splunk platform, see Upload the tutorial data in the the Getting Started Tutorial.

Steps

  1. In SBF, click the Flow Model icon to open the Flow Models page
  2. Click the New Flow Model button.
  3. Type Buttercup Games Flash Sale in the Name.
  4. (Optional) Enter a description.
  5. Type the following in Search

    index ="tutorial" sourcetype ="web-6"

  6. Click Save.
  7. Select customer_id under Correlation IDs.
    You can select multiple Correlation IDs.
  8. Select action under Step.
    You can only have one Step in a Flow Model.
  9. Select country under Attributes.
    Attributes are optional.
  10. Select a sample size.
    Select the sample size of events you want to search. Increase the sample size to view more events. Decrease the sample size to reduce search time.
  11. Select a Max Duration .
    In this example, you selected the field name customer_id as the Correlation ID and a max duration of 5 minutes. Suppose you have the Correlation ID field value user123. All events that contain user123 that took place within five minutes of the first occurrence of user123 are grouped into the same Journey.
  12. Click the Validate tab.
  13. Change the time range picker to All Time.
    As a business analyst at Buttercup Games you are familiar with the weblogs traffic and typical Journey a user completes on the website. The steps shown in the Flowchart reflect the steps you want to track:
    • new account created
    • add-to-cart
    • apply coupon
    • purchase
    • error
  14. Click Save.
Last modified on 13 July, 2020
Write a search for a Flow Model   Combine Flow Models

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters