URL Toolbox not parsing ut_domain correctly if a T...

teresachila · ‎02-26-2024

Running the code below will yield ut_domain as ".com" instead of "somethin.shop". It seems like if the subdomain contains a valid TLD string (e.g. .com), then ut_domain is not parsed correctly. A domain "somethingbad.shop" will be parsed correctly as it recognizes .shop as a TLD.

| makeresults | eval domain_full = "something.com.somethin.shop"
| eval list="*" | `ut_parse(domain_full, list)`

Is it a bug? If so, how can we report it? Any workaround you can think of while waiting for bug fix?

marnall · ‎04-14-2024

The UT toolbox app relies on some .dat files in the $SPLUNKDIR$/etc/apps/utbox/bin/ directory which list the known TLD suffixes. Unfortunately, ".shop" is not listed in them.

To add the ".shop" tld, you can edit the suffix_list_custom.dat file at:

$SPLUNKDIR$/etc/apps/utbox/bin/suffix_list_custom.dat

and add a line containing "shop". A restart is not required to apply this change.

Then try your query again and the ut_domain field value should now be "somethin.shop" as desired.

wryanthomas · ‎06-25-2024

In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file. This is a plea to the developers: Could you please update this app to address this need? Thanks!

URL Toolbox not parsing ut_domain correctly if a TLD string is part of the domain name

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)