Hi! Here are the steps you can perform to get the ephemeral stream through ES.
1) Install ES and Stream on Splunk
2) Configure ISF (Independent Stream Forwarder) which checks into search head. (Steps to configure ISF: https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/InstallStreamForwarderonindependentmachine)
3) Make sure to get enough data indexed in splunk stream(For sourcetypes: tcp, dns, http, ip, udp)
3) Created a search such as: host=hostname_of_ISF sourcetype="stream:ip" dest_ip="10.202.18.155" where the dest_ip is the IP of your Search head
4) Save the search as alert which runs on cron schedule for every min
5) In the Trigger Actions, select Notable Events and save the alert
5) Navigate to ES app > Incident Review, on your created notable event, run Adaptive Response Action by clicking on New Response Action -> Stream Capture.
6) The adaptive response from Stream Capture should show a "success" status.
7) Navigate to Stream App> Configure Streams > Ephemeral streams. You will see the created streams on the dashboard
... View more