We have a server that is using splunk enterprise version 7.3.4. However, I couldn't find Splunk DB Connect compatible with that version in splunk base. Could I get a Splunk DB Connect installation file that is compatible with splunk enterprise 7.3.4?

Running the code below will yield ut_domain as ".com" instead of "somethin.shop". It seems like if the subdomain contains a valid TLD string (e.g. .com), then ut_domain is not parsed correctly. A domain "somethingbad.shop" will be parsed correctly as it recognizes .shop as a TLD.       | makeresults | eval domain_full = "something.com.somethin.shop" | eval list="*" | `ut_parse(domain_full, list)`        Is it a bug? If so, how can we report it? Any workaround you can think of while waiting for bug fix?  

Dear team,  Good day! Hope you are doing well.  I need some help in understanding a correlation search. The search is as follows:  index=email sourcetype="ironport:summary" action=delivered |fillnull value="" file_name senderdomain |rex field=sender "\@(?<senderdomain>[^ ]*)" | eval list="mozilla" | `ut_parse_extended(senderdomain,list)` | stats count first(subject) as subject earliest(_time) as earliest latest(_time) as latest values(file_name) as file_name by ut_domain | inputlookup append=t previously_seen_domains.csv | stats sum(count) as No_of_emails values(subject) as subject min(earliest) as earliest max(latest) as latest values(file_name) as file_name by ut_domain | eval isNew=if(earliest >= relative_time(now(), "-1d@d"), 1,0) | where isNew=1 and No_of_emails>=1 | mvcombine file_name delim=" " | eval temp_file=split(file_name," ") | rex field="temp_file" "\.(?<ext>[^\.]*$)" | eventstats values(ext) as extension by ut_domain | table latest earliest ut_domain No_of_emails subject file_name temp_file extension | eval _comment="exchange search here" | join type=outer ut_domain [search index=email sourcetype="MSExchange:2013:MessageTracking" directionality="Incoming" event_id="RECEIVE" | stats count by sender_domain | fields sender_domain | eval list="mozilla" | `ut_parse_extended(sender_domain,list)` | table ut_domain sender_domain ] | eval isExchangeFound=if(isnull(sender_domain),"false","true") | where isExchangeFound="true" | eval qualifiers=if(No_of_emails>=5,mvappend(qualifiers, "- More Than 5 emails from a previously unseen domain (Possible Spam)."),qualifiers) | cluster t=0.5 labelonly=1 showcount=0 field=file_name | eventstats dc(file_name) as similer_attach_count dc(ut_domain) as no_of_domains by cluster_label | eval qualifiers=if(similer_attach_count>=2 AND match(extension,"(?i)(bat|chm|cmd|cpl|exe|hlp|hta|jar|msi|pif|ps1|reg|scr|vbe|vbs|wsf|lnk|scr|xlsm|dotm|lnk|zip|rar|gz|html|iso|img|one)") ,mvappend(qualifiers, "- Suspicious email attachments with similar names, sent from " .no_of_domains. " previously unseen domains. (Qbot Style)"),qualifiers) | where mvcount(qualifiers)>0 | eval _comment="informational qualifier not counted" | eval qualifiers=if(match(extension,"(?i)(bat|chm|cmd|cpl|exe|hlp|hta|jar|msi|pif|ps1|reg|scr|vbe|vbs|wsf|lnk|scr|xlsm|dotm|lnk|zip|rar|gz|html|iso|img|one)") ,mvappend(qualifiers, "- Email attachment contains a suspicious file extension - " .extension ),qualifiers) | eval cluster_label=if(isnull(cluster_label),ut_domain,cluster_label) | stats values(subject) as subject values(no_of_domains) as no_of_domains values(severity) as severity values(file_name) as file_name values(ut_domain) as ut_domain values(qualifiers) as qualifiers min(earliest) as start_time max(latest) as end_time sum(No_of_emails) as No_of_emails by cluster_label | eval sev=if(no_of_domains>1,mvcount(qualifiers) + 1,mvcount(qualifiers)) | eval urgency=case(sev=1,"low",sev=2,"medium",sev>2,"high" ) | eval reason=mvappend("Alert qualifiers:", qualifiers) | eval dd=" index=email sourcetype=ironport:summary sender IN (\"*".mvjoin(ut_domain, "\", \"*")."\") | eventstats last(subject) as subject by sender | eventstats last(file_name) as file_name by sender |table _time action sender recipient subject file_name" | table start_time end_time ut_domain subject No_of_emails file_name reason urgency dd | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | rename No_of_emails as result | eval network_segment="ABC" |search ut_domain=* NOT [inputlookup domain_whitelist.csv | fields ut_domain] The expansion of the macro `ut_parse_extended(senderdomain,list)`: | lookup ut_parse_extended_lookup url as senderdomain list as list | spath input=ut_subdomain_parts | fields - ut_subdomain_parts   We have this search and it works but giving a lot of false positives. Even though a domain is added to the look up table, still we are getting an alert. I am SOC analyst and I tried to understand this query but it appears to be very difficult. Can someone please help or support me to simplify this query? It will be really helpful. This is the first time I am posting something on a community page. So, if I missed to add any information, I apologize and do let me know if more info is required and I will be more than happy to furnish them.  Appreciate your help and support.