TLD Parser

September 05, 2018 14:28

Hello there,

I am looking to find TLD's in the logs, and I am struggling to build the right query.

| domain as domain_lookup
| parse field=domain_lookup "*.*.*" as d, tld, tld1

The issue that I am running into is there is no way of knowing how many periods (.) there are in a domain. For Example support.sumologic.com has three. So the query above would work and TLD1 would have an output of .com - However secure.widget.cloud.opta.net has many periods, and I wont get .net with the current query.

I was thinking about a possible parser to go from right to left and just grab from the end to the first period.

Comments

7 comments

Azriel Nguyen

September 05, 2018 15:06
hey Austin,

try this:

| parse regex field=domain_lookup"(?<tld1>[^\.]*)(?=\n)"

assuming that a newline is following the tld1
0

Comment actions Permalink
Austin Sandland

September 05, 2018 15:17
Hey Azriel,

That is also not working. The log is tab delimited.

| domain as domain_lookup
| parse regex field=domain_lookup"(?<tld1>[^\.]*)(?=\t)"

This search came back with www. for example, not .com
0

Comment actions Permalink
Azriel Nguyen

September 05, 2018 15:18
change "\n" to "\s" if followed by space. good luck
0

Comment actions Permalink
Austin Sandland

September 05, 2018 15:28
| domain as domain_lookup
| parse regex field=domain_lookup"(?<tld1>[^\.]*)(?=\s)"

No search results found. Any other ideas?
0

Comment actions Permalink
Azriel Nguyen

September 05, 2018 16:36
hey Austin,

hopefully this will work for you: (?=$)

Sorry I was in meeting
0

Comment actions Permalink
Austin Sandland

September 05, 2018 16:39
Hey Azriel,

That worked! Thanks for your help!

| domain as domain_lookup
| parse regex field=domain_lookup"(?<tld1>[^\.]*)(?=$)"
0

Comment actions Permalink
Azriel Nguyen

September 05, 2018 16:41
sweet! happy to help :)
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?