Learn more about the Cortex Query Language extract_url_registered_domain() function.
Syntax
extract_url_registered_domain ("<URL>")Description
The extract_url_registered_domain() function returns the registered domain or registerable domain, the public suffix plus one preceding label, of a URL. The function always returns a value in lowercase characters even if the URL provided contains uppercase characters.
Examples
Output examples when using the function
Returns paloaltonetworks.com from the complete URL: https://www.paloaltonetworks.com.
extract_url_registered_domain ("https://www.paloaltonetworks.com")Returns NULL for the URL: //user:password@a.b:80/path?query
extract_url_registered_domain ("//user:password@a.b:80/path?query")Returns example.co.uk in lowercase for the complete URL: www.Example.Co.UK, which includes uppercase characters.
extract_url_registered_domain ("www.Example.Co.UK")Returns paloaltonetworks.com for the following URL containing suffixes: https://www.test.paloaltonetworks.com/suffix/another_suffix
extract_url_registered_domain ("https://www.test.paloaltonetworks.com/suffix/another_suffix")Complete XQL query example
Returns one xdr_data record in the results table where the registered domain of the URL https://www.test.paloaltonetworks.com is listed in the REGISTERED_DOMAIN column as paloaltonetworks.com.
dataset = xdr_data
| alter registered_domain = extract_url_registered_domain("https://www.test.paloaltonetworks.com")
| fields registered_domain
| limit 1