Hello everyone,
I have successfully installed Splunk stream on a distributed environment. Stream data are indexed remotely and can be searched manually.
I have a couple of questions to ask:
1) I am initiating a 15min Ephemeral Stream using either Splunk ES Incident Review console (using the adaptive response action "Stream Capture" available). I select "All" protocols. I can see the Ephemeral Stream under "Configure Streams" UI. Even though it starts 9 streams, after 15mins the streams disappear. This means that the streams were empty? Normally they will have a link that I can click and search them? Can I export them for later use or as artifact in an investigation?
2) On which index do these Ephemeral Streams get captured/indexed?
3) Even though my streams are working and data come in, I see that my Configure Streams - Avg. Traffic and Recent Traffic per protocol (15m) are all zero. Why does this happen? This applies for both the enabled and estimate streams.
Thank you in advance for your help.
With kind regards,
Chris
