Keep only domain.tld in field with various subdomains


in my DNS logs I have a lot of very long URLs, for example those from CDNs. They can have one or more levels of subdomains, and I am looking to remove these.

For example: > >

And then there are TLDs like with their own dot.

Splitting by the dot was one thing I tried that didn't work out because then I have different amounts of fields to be looked at (and I have no idea how to handle this in Logstash).

I found this solution describing a regex approach to identify TLDs: Regex to extract the top level domain from a URL - Stack Overflow but it doesn't help with the example. Also I don't find a reference how to actually apply a regex to a string.

Can you suggest an elegant solution for this?

Thank you!

No. See my discussion of this here. In .uk ,or .dz (Algeria), and other TLDs, some second level domain names are names, and some are labels under which domain names are assigned by the registrar (like But if I wanted to register then Nominet would show me dozens of registrars willing to host that as a second level domain. I could then host DNS servers for that and create under it.

Trying to track the policy of hundreds of TLD registrars about name vs. label categories for their second level domains is never going to be elegant.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.