Splunk App for Stream: How Can You Use Ephemeral Streams?

Did you know that Splunk App for Stream supports ephemeral streams in addition to permanent ones? Ephemeral stream capture enables you to grab wire data on the fly for a specified period and analyze it in Splunk software. You can start using ephemeral (temporary) streams in a variety of situations: security analysis (see below), to better your applications performance, to observe network latency during increased traffic conditions (for example, Cyber Monday or another seasonal event).

We have integrated wire data and ephemeral streams in our popular Splunk App for Enterprise Security. From within the app, you can trigger on-the-fly wire data capture based on your search results, events or alerts. With ephemeral streams you can choose to monitor just a subset of protocols such as DNS or SMTP or capture all supported wire data for planned or ad hoc analysis for quick troubleshooting. This new data, context and extractions from wire data acquisition are immediately available in Protocol Intelligence dashboards. Now you can start having deeper investigations of unusual user or applications behaviors, such as analysis of email envelopes, unusual DNS activity or other security investigations.

ephemeral stream

Temporary wire data capture based on search results – great for ad-hoc or automated investigation

Another way to take advantage of ephemeral streams is by combining it with our Stream aggregates. First, you can use the aggregate functionality of the Splunk App for Stream to coarsely sift through your wire data. Utilizing alerts, once you have any anomalous conditions or increased averages, you can automate wire data capture and perform deeper investigations. This way you can start getting deep visibility into applications or network performance and still keep tabs on total amount of wire data. And the best part is, we make it easy to integrate with your own Splunk app using our Stream REST API.

Stela Udovicic
Posted by Stela Udovicic

