I am looking to find TLD's in the logs, and I am struggling to build the right query.
| domain as domain_lookup
| parse field=domain_lookup "*.*.*" as d, tld, tld1
The issue that I am running into is there is no way of knowing how many periods (.) there are in a domain. For Example support.sumologic.com has three. So the query above would work and TLD1 would have an output of .com - However secure.widget.cloud.opta.net has many periods, and I wont get .net with the current query.
I was thinking about a possible parser to go from right to left and just grab from the end to the first period.
Please sign in to leave a comment.