extract_url_host - Learn more about the Cortex Query Language extract_url_host() function. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-11-14
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language extract_url_host() function.

Syntax
extract_url_host ("<URL>")
Description

The extract_url_host() function returns the host of the URL. The function always returns a value in lowercase characters even if the URL provided contains uppercase characters.

Example
Output examples when using the function

Returns paloaltonetworks.com from the complete URL: https://www.paloaltonetworks.com.

extract_url_host ("https://www.paloaltonetworks.com")

Returns a.b for the URL: //user:password@a.b:80/path?query

extract_url_host ("//user:password@a.b:80/path?query")

Returns www.example.co.uk in lowercase for the complete URL: www.Example.Co.UK, which includes uppercase characters.

extract_url_host ("www.Example.Co.UK")

Returns www.test.paloaltonetworks.com for the following URL containing suffixes: https://www.test.paloaltonetworks.com/suffix/another_suffix

extract_url_host ("https://www.test.paloaltonetworks.com/suffix/another_suffix")
Complete XQL Query Example

Returns one xdr_data record in the results table where the host of the URL https://www.test.paloaltonetworks.com is listed in the URL_HOST column as www.test.paloaltonetworks.com.

dataset = xdr_data 
| alter url_host = extract_url_host("https://www.test.paloaltonetworks.com") 
| fields url_host 
| limit 1