The previous answer is incorrect; threatlists do not accept a pipe-delimited field as input for the "url" or "domain" fields. This is something that can easily be tested by simply trying it out. Place an entry into local_threatlist_domains.csv and wait for the threatlist management system to merge the CSVs into the active lookup tables:
$ cat local_threatlist_domains.csv
description,domain
test,splunk.com|google.com
... wait for a while ...
$ grep splunk threatlist_by_domain_or_url.csv
splunk.com|google.com,,,test,,splunk.com|google.com,,local_threatlist_domains,threatlist_domain
Note that the output CSV does not contain multiple entries as would be required in a lookup table for matching to work properly, but retains the pipe-delimited format; thus this indicates that this is not currently supported.
We'll coordinate to have the documentation corrected.
... View more