- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- URL Toolbox ut_parse_extended_lookup not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running the search with the long-form ut_parse_extended_lookup command:
sourcetype=infoblox:dns record_type IN (TXT,A,AAAA)
| eval list="mozilla"
| lookup ut_parse_extended_lookup url AS query
| stats count by ut_domain
Fails to identify obvious domains like foxsports.com.au, instead breaking it out as ut_domain=com.au and ut_subdomain_parts=foxsports.
Meanwhile, running (what should be) the same search by using the macro:
sourcetype=infoblox:dns record_type IN (TXT,A,AAAA)
| eval list="mozilla"
| `ut_parse(query,list)`
| stats count by ut_domain
parses the same domains perfectly, this time as ut_domain=foxsports.com.au
I checked suffix_list_mozilla.dat and confirmed the com.au 2LD entry exists, and I can't identify any meaningful differences between the manual query I ran and what's abstracted by the macro is macros.conf.
[ut_parse_extended(2)]
args = url, list
definition = lookup ut_parse_extended_lookup url as $url$ list as $list$ | spath input=ut_subdomain_parts | fields - ut_subdomain_parts
Does anyone know why I'm getting such poor results from running the long-form version of the command, as opposed to the macro?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=infoblox:dns record_type IN (TXT,A,AAAA)
| eval list="mozilla"
| lookup ut_parse_extended_lookup url AS query list AS list
| spath input=ut_subdomain_parts
| fields - ut_subdomain_parts
| stats count by ut_domain
Hi, How about adding spath?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=infoblox:dns record_type IN (TXT,A,AAAA)
| eval list="mozilla"
| lookup ut_parse_extended_lookup url AS query list AS list
| spath input=ut_subdomain_parts
| fields - ut_subdomain_parts
| stats count by ut_domain
Hi, How about adding spath?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The spath argument just removes the ut_subdomain_parts field, but your response did highlight the fact I didn't add list AS list to the lookup command - adding this solved the issue as it uses the iana list otherwise.
I'd tried this before but instead did list AS mozilla so it didn't work.
Thanks for your response!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
