URL Toolbox not parsing ut_domain correctly if a T...

teresachila · ‎02-26-2024

Running the code below will yield ut_domain as ".com" instead of "somethin.shop". It seems like if the subdomain contains a valid TLD string (e.g. .com), then ut_domain is not parsed correctly. A domain "somethingbad.shop" will be parsed correctly as it recognizes .shop as a TLD.

| makeresults | eval domain_full = "something.com.somethin.shop"
| eval list="*" | `ut_parse(domain_full, list)`

Is it a bug? If so, how can we report it? Any workaround you can think of while waiting for bug fix?

marnall · ‎04-14-2024

The UT toolbox app relies on some .dat files in the $SPLUNKDIR$/etc/apps/utbox/bin/ directory which list the known TLD suffixes. Unfortunately, ".shop" is not listed in them.

To add the ".shop" tld, you can edit the suffix_list_custom.dat file at:

$SPLUNKDIR$/etc/apps/utbox/bin/suffix_list_custom.dat

and add a line containing "shop". A restart is not required to apply this change.

Then try your query again and the ut_domain field value should now be "somethin.shop" as desired.

wryanthomas · ‎06-25-2024

In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file. This is a plea to the developers: Could you please update this app to address this need? Thanks!

URL Toolbox not parsing ut_domain correctly if a TLD string is part of the domain name

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

URL Toolbox not parsing ut_domain correctly if a TLD string is part of the domain name

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!