Splunk® Business Flow (Legacy)

User Manual

Splunk Business Flow is no longer available for purchase as of June 20, 2020. Customers who have already purchased Business Flow will continue to have support and maintenance per standard support terms for the remainder of contractual commitments.

Combine Flow Models

Sometimes, the Journey you want to track spans multiple Flow Models. To see the complete Journey, you need to create a single Flow Model that contains all the events you want to analyze. In Splunk Business Flow, there are two ways to create a Flow Model for multiple data sources. You can create another Flow Model and write a search that captures the complete process across all data sources, or you can combine existing Flow Models. When you use the Combine Flow Models feature, you create a Flow Model without writing a search or modifying the original Flow Models.

Why combine your Flow Models?

When you combine Flow Models, you create a Flow Model without writing a search, maintain individual ownership of each Flow Model, and view complete Journeys across multiple data sources. The following example walks through how combining Flow Models can work for you and your organization.

Suppose you are a business process expert on marketing data at Buttercup Games. You work on a team with two business analysts who are order system data and sales data process experts. You and your two colleagues create and validate a Flow Model for each area of expertise.

The marketing team at Buttercup Games implemented a targeted email campaign to promote a new game. You are tasked with assessing the success of the email campaign, determining how many people purchased the new game, and analyzing the order system data to find bottlenecks in the shipping process. The Journeys you are interested in span the marketing, sales, and order system Flow Models. To view the complete Journey, you need to combine all three Flow Models. When you combine the marketing, sales, and order system Flow Models, you can both maintain the individual ownership of each Flow Model and view the complete Journey.

How does the Combine Flow Models feature work?

The Combine Flow Models feature generates a search that starts with a multisearch command and ends with a coalesce command. The multisearch command runs multiple streaming searches at the same time. The coalesce command captures the step field names from each Flow Model in the new field name combinedStep. The feature doesn't require step field names to match across all Flow Models. The Combine Flow Model feature does not work like a join command in SQL.

Select the Flow Models you want to combine

Before you select the Flow Models you want to combine, consider how your Flow Models are related. Do your Flow Models share a common Correlation ID? Do you suspect that different field names in Flow Models share common field values? For more, see Identify your Correlation IDs, Steps and Attributes.

Create a correlation and verify your matches

After you select the Flow Models you want to combine, use the correlation matrix to create correlations and verify field value matches. The correlation matrix lists all the Flow Models you selected and their corresponding intersections. When you create a correlation between two Flow Models, the match appears in two places. For example, say you have a matrix with rows R1, R2, R3 and columns C1, C2, C3. The results that correspond to the row R2 and the column C1 are the same as the results in the row R1 and the column C2. If you have three Flow models, you do not need to create a correlation at each intersection to combine the Flow Models. The following diagram illustrates a conceptual overview of the R1, R2, R3 by C1, C2, C3 matrix.
This image shows a conceptual diagram of the three by three matrix R1,R2,R3, by C1,C2,C3. The diagram highlights that the results (R2, C1 ) and (R1, C2) are the same.

If the same field values correspond to different names, you can use the Correlation ID matching feature to verify field value matches. For example, say you have two Flow Models: weblogs and order system data. The weblogs Flow Model has correlation ID username, and the order system Flow Model has correlation ID user_id. You can use the Correlation ID matching tables to verify that the correlation IDs you selected contain matching field values. If the field values match exactly, a checkmark appears next to the field values. The following conceptual diagram illustrates two matches between field values user101 and user789.

This diagram shows two tables. The first column contains all field names that correspond to username. The first column contains all field names that correspond to  user_id.

Requirements and restrictions

Before you combine Flow Models, determine how the events in the process are related. Identify the correlation IDs and steps in the process you want to track. For more information, see Identify your Correlation IDs, Step, and Attributes.

Next, determine if your Flow Models fit the requirements. The Flow Models you want to combine must only contain streaming commands such as: search, eval, and rex

The Combine Flow Model feature is not compatible with Flow Models that contain the following search commands and search types:

  • Saved searches
  • Data models
  • Summary commands such as stats. For more information, see Types of commands in the Splunk Enterprise Search Reference.
  • The multisearch command. For more information, see Multisearch in the Splunk Enterprise Search Reference.

Combine your Flow Models

Follow these steps to combine your Flow Models.
Steps

  1. In SBF, click the gear icon to open the configuration page.
  2. Click Combine Flow Models.
  3. Type a name for the new Flow Model.
  4. (Optional) Enter a description.
  5. Click Next.
  6. From the Sources dropdown menu, select the Flow Models you want to combine.
  7. In the correlation matrix, click Create Correlation.
    The Correlation ID matrix lists all the Flow Models you selected and the corresponding intersections. When you create a correlation between two Flow Models the match appears in two places. If you have three Flow models, you do not need to create a correlation at each intersection to combine the Flow Models.
  8. Under Flow Model A, select the Correlation ID you think matches a correlation ID in Flow Model B.
    If the field values match exactly, a checkmark appears next to the field values.
  9. Under Flow Model B, select the correlation ID you think contains matching fields to the Correlation ID you selected in Flow Model A
    Even if you have matching field values in your Flow Models, you might not see any matches in the given sample.
  10. Click Confirm Match.
  11. (Optional) Create another correlation using the same steps.
  12. Click Done.

Tutorial

This tutorial uses data from the fictitious Buttercup Games Store. This is the same data used in the Splunk Business Flow Getting Started Tutorial. If you did not complete the Splunk Business Flow Beta Tutorial, download the Game_store.zip file. Do not uncompress the file.

Suppose you are a business analyst at the fictitious Buttercup Games Store. This week several customers called into Buttercup Games Support. You want to analyze the purchase process, and discover what roadblocks customers encountered. This process spans two Flow Models: a weblogs Flow Model, and a call center Flow Model. To see the complete process, you need to combine the weblog and call center Flow Models into a single Flow Model. You want to track this process by individual customer. The field name that identifies the user in both the weblogs and call center data is customer_id. In this example, you do not have multiple correlation IDs or gluing events. You already know that the customer_id contains the same field values in both Flow Models. The weblogs and call center Flow Models have the following definitions.

Create the Flow Models you want to Combine

First, create the two Flow Models you want to combine.

Prerequisites

  • Upload the Game Store data into the Splunk platform. To upload the Game Store data into your Splunk platform, see Upload the tutorial data in the the Getting Started Tutorial.
  • You must have the latest version of Splunk Business Flow.

Steps

  1. Click the Flow Model icon Flow Models icon to open the Flow Models page.
  2. Click New Flow Model.
  3. Type weblogs as a name.
  4. Type the following search:

    index = tutorial sourcetype = web-6

  5. Click Submit.
  6. In the Flow Models editor, select customer_id as Correlation ID and action as Step.
  7. Click Save.
  8. Set the time range picker to All time.
  9. Repeat the same steps to create the call center Flow Model with the following Flow Model definition:
    Flow Model Search Correlation ID Step
    call center

    index = tutorial sourcetype = call_center

    customer_id queue

Combine the call center and weblogs Flow Models

Next, combine the weblogs and call center Flow Models to create a new Flow Model.

  1. Click the Flow Model icon Flow Models icon to open the Flow Models page.
  2. Click Combine Flow Models.
  3. Type Call center & weblogs as the name for the Flow Model.
  4. (Optional) Type a description for the Flow Model.
  5. Click Next.
  6. From the Sources drop-down list, select weblogs and call center.
  7. In the Correlation ID matrix, click Create Correlation in either box.
    The Correlation ID matrix lists all the Flow Models you selected and the corresponding intersections. When you create a correlation between two Flow Models, the match appears in two places. In this example, since there are only two sources, you create only one correlation.
    This screenshot shows the Combine Flow Models correlation matrix. It lists the Flow Models you want to combine in a grid. In this case, it shows the weblogs and call center Flow Models. Since there are two Flow Models, there are two intersections to create correlations.
  8. Under Flow Model A, select customer_id.
  9. Under Flow Model B, select customer_id.
    Even if you have matching field values in your Flow Models, you might not see any matches in the given sample.
  10. After you verify that your correlation IDs have matching fields, click Confirm Match.
    This screenshot shows the Correlation ID matrix.
  11. Click Done.
    Even though the field name that corresponds to Step is not consistent between Flow Models, you do not need to rename the field name.The Flow Model editor shows the generated search, the corresponding correlation IDs and new step combinedStep.
    This screenshot shows the generated search. It starts with a multisearch command, and ends with a coalesce command.
  12. (Optional) In the Flow Model editor, select any attributes you are interested in.
  13. Click the Validate tab.
  14. Set the time range picker to All time.
  15. Click Save.
Last modified on 27 July, 2020
Create a Flow Model   Manage Flow Models

This documentation applies to the following versions of Splunk® Business Flow (Legacy): -Latest-


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters