All Apps and Add-ons

URL Toolbox not parsing ut_domain correctly if a TLD string is part of the domain name

teresachila
Path Finder

Running the code below will yield ut_domain as ".com" instead of "somethin.shop". It seems like if the subdomain contains a valid TLD string (e.g. .com), then ut_domain is not parsed correctly. A domain "somethingbad.shop" will be parsed correctly as it recognizes .shop as a TLD.

 

 

 

| makeresults | eval domain_full = "something.com.somethin.shop"
| eval list="*" | `ut_parse(domain_full, list)`

 

 

 

 Is it a bug? If so, how can we report it? Any workaround you can think of while waiting for bug fix?

 

Labels (1)
0 Karma

marnall
Motivator

The UT toolbox app relies on some .dat files in the $SPLUNKDIR$/etc/apps/utbox/bin/ directory which list the known TLD suffixes. Unfortunately, ".shop" is not listed in them.

To add the ".shop" tld, you can edit the suffix_list_custom.dat file at:

$SPLUNKDIR$/etc/apps/utbox/bin/suffix_list_custom.dat

and add a line containing "shop". A restart is not required to apply this change.

Then try your query again and the ut_domain field value should now be "somethin.shop" as desired.

0 Karma

wryanthomas
Contributor

In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file.  This is a plea to the developers:  Could you please update this app to address this need?  Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...