https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-DNS-resolution/m-p/498911#M85053 <P>Good day to all,</P> <P>Since I didn't find an search results on this topic, does UF do any DNS resolution for the events (windows or whatsoever) that reads ?</P> <P>I believe that doesn't do but I would like some second opinion.</P> <P>thanks!</P> Tue, 08 Oct 2019 07:50:27 GMT a_naoum 2019-10-08T07:50:27Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-DNS-resolution/m-p/498911#M85053 <P>Good day to all,</P> <P>Since I didn't find an search results on this topic, does UF do any DNS resolution for the events (windows or whatsoever) that reads ?</P> <P>I believe that doesn't do but I would like some second opinion.</P> <P>thanks!</P> Tue, 08 Oct 2019 07:50:27 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-DNS-resolution/m-p/498911#M85053 a_naoum 2019-10-08T07:50:27Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-DNS-resolution/m-p/498912#M85054 <P>Hi a_naoum,<BR /> I know that Universal Forwarder connects to DNS for resolution, because in some past versions (6.x) of the Windows UF there was a bug so, sometimes, the memory use was too high and the solution suggested by the Splunk Support was to disable DNS resolution.<BR /> I cannot explain more details.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 08 Oct 2019 09:45:25 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-DNS-resolution/m-p/498912#M85054 gcusello 2019-10-08T09:45:25Z https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-DNS-resolution/m-p/498913#M85055 <P>The answer here will depend on your configuration but the UF should index the raw data it sees unless state otherwise on the configuration (for example on props and transforms to change it, but this would be done on the Indexer(s)/HF(s).</P> Tue, 08 Oct 2019 10:40:33 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-DNS-resolution/m-p/498913#M85055 gfreitas 2019-10-08T10:40:33Z