Learn more about the Cortex Query Language extract_url_registered_domain()
function.
Syntax
extract_url_registered_domain ("<URL>")
Description
The extract_url_registered_domain()
function returns the registered domain or registerable domain, the public suffix plus one preceding label, of a URL. The function always returns a value in lowercase characters even if the URL provided contains uppercase characters.
Examples
Output examples when using the function
Returns paloaltonetworks.com
from the complete URL: https://www.paloaltonetworks.com
.
extract_url_registered_domain ("https://www.paloaltonetworks.com")
Returns NULL for the URL: //user:password@a.b:80/path?query
extract_url_registered_domain ("//user:password@a.b:80/path?query")
Returns example.co.uk
in lowercase for the complete URL: www.Example.Co.UK
, which includes uppercase characters.
extract_url_registered_domain ("www.Example.Co.UK")
Returns paloaltonetworks.com
for the following URL containing suffixes: https://www.test.paloaltonetworks.com/suffix/another_suffix
extract_url_registered_domain ("https://www.test.paloaltonetworks.com/suffix/another_suffix")
Complete XQL query example
Returns one xdr_data
record in the results table where the registered domain of the URL https://www.test.paloaltonetworks.com
is listed in the REGISTERED_DOMAIN
column as paloaltonetworks.com
.
dataset = xdr_data | alter registered_domain = extract_url_registered_domain("https://www.test.paloaltonetworks.com") | fields registered_domain | limit 1