Re: Universal Forwarder DNS resolution

a_naoum · ‎10-08-2019

Good day to all,

Since I didn't find an search results on this topic, does UF do any DNS resolution for the events (windows or whatsoever) that reads ?

I believe that doesn't do but I would like some second opinion.

thanks!

gfreitas · ‎10-08-2019

The answer here will depend on your configuration but the UF should index the raw data it sees unless state otherwise on the configuration (for example on props and transforms to change it, but this would be done on the Indexer(s)/HF(s).

gcusello · ‎10-08-2019

Hi a_naoum,
I know that Universal Forwarder connects to DNS for resolution, because in some past versions (6.x) of the Windows UF there was a bug so, sometimes, the memory use was too high and the solution suggested by the Splunk Support was to disable DNS resolution.
I cannot explain more details.

Bye.
Giuseppe

Universal Forwarder DNS resolution

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation