Abstract
Learn more about the Cortex Query Language extract_url_pub_suffix()
function.
Syntax
extract_url_pub_suffix ("<URL>")
Description
The extract_url_pub_suffix()
function returns the public suffix of the URL, such as com, org, or net. The function always returns a value in lowercase characters even if the URL provided contains uppercase characters.
Example
Output examples when using the function
Returns com
for the following URL: https://paloaltonetworks.com
extract_url_pub_suffix ("https://paloaltonetworks.com")
Returns com
for the following URL containing suffixes: https://www.test.paloaltonetworks.com/suffix/another_suffix
extract_url_pub_suffix ("https://www.test.paloaltonetworks.com/suffix/another_suffix")
Complete XQL Query Example
Returns one xdr_data
record in the results table where the public suffix of the URL https://www.paloaltonetworks.com
is listed in the URL_PUB_SUFFIX
column as com
.
dataset = xdr_data | alter url_pub_suffix = extract_url_pub_suffix("https://paloaltonetworks.com") | fields url_pub_suffix | limit 1