All Apps and Add-ons

URL Toolbox not parsing ut_domain correctly if a TLD string is part of the domain name

Path Finder

Running the code below will yield ut_domain as ".com" instead of "". It seems like if the subdomain contains a valid TLD string (e.g. .com), then ut_domain is not parsed correctly. A domain "" will be parsed correctly as it recognizes .shop as a TLD.




| makeresults | eval domain_full = ""
| eval list="*" | `ut_parse(domain_full, list)`




 Is it a bug? If so, how can we report it? Any workaround you can think of while waiting for bug fix?


Labels (1)
0 Karma


The UT toolbox app relies on some .dat files in the $SPLUNKDIR$/etc/apps/utbox/bin/ directory which list the known TLD suffixes. Unfortunately, ".shop" is not listed in them.

To add the ".shop" tld, you can edit the suffix_list_custom.dat file at:


and add a line containing "shop". A restart is not required to apply this change.

Then try your query again and the ut_domain field value should now be "" as desired.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...