Have you checked out the URL toolbox app? It has some handy macros that allow you to parse domains & TLDs. https://splunkbase.splunk.com/app/2734
If you want to see the top domains (after you remove the subdomains), try a search like the one below. I would look for a field in your web app logs that might indicate if it is malicious or not. Otherwise, you will need to add some kind of threat intelligence list to ES to cross-reference malicious sites with what is found in your logs.
index=netwaf | stats sum(bytes) as total_bytes count by domain