URL Toolbox not parsing ut_domain correctly if a T...

teresachila · ‎02-26-2024

Running the code below will yield ut_domain as ".com" instead of "somethin.shop". It seems like if the subdomain contains a valid TLD string (e.g. .com), then ut_domain is not parsed correctly. A domain "somethingbad.shop" will be parsed correctly as it recognizes .shop as a TLD.

| makeresults | eval domain_full = "something.com.somethin.shop"
| eval list="*" | `ut_parse(domain_full, list)`

Is it a bug? If so, how can we report it? Any workaround you can think of while waiting for bug fix?

marnall · ‎04-14-2024

The UT toolbox app relies on some .dat files in the $SPLUNKDIR$/etc/apps/utbox/bin/ directory which list the known TLD suffixes. Unfortunately, ".shop" is not listed in them.

To add the ".shop" tld, you can edit the suffix_list_custom.dat file at:

$SPLUNKDIR$/etc/apps/utbox/bin/suffix_list_custom.dat

and add a line containing "shop". A restart is not required to apply this change.

Then try your query again and the ut_domain field value should now be "somethin.shop" as desired.

wryanthomas · ‎06-25-2024

In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file. This is a plea to the developers: Could you please update this app to address this need? Thanks!

URL Toolbox not parsing ut_domain correctly if a TLD string is part of the domain name

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

URL Toolbox not parsing ut_domain correctly if a TLD string is part of the domain name

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25