How busy is your DNS server? Also, you've limited the maxKbps of the UF to 4 Mb. If during busy times the DNS entries exceed 4 Mb, then it just buffers it all, and that would use a lot of memory. If I were you, I'd raise those limits WAY up higher, or remove then completely, and see what change that makes. Try it at 'maxKbps=0' (Which is unlimited) You can always set it back to something less than unlimited after testing proves this solves it or does not solve it. Frankly, I'd just leave it set to unlimited and build out indexer ingestion if you have to. The only reasons I can think of to leave it limited is to not fill a small pipe, like a WAN connection that's underprovisioned for what's needed. Happy Splunking, Rich
... View more