URIHOST failing with trailing numbers on 2LD in Visualization

Dave_Evenden · October 4, 2018, 3:07am

when we use this grok:

match => { "message" => "^%{URIHOST:domain}" }

It successfully matches domains like so:

however when creating a visualization any 2LD's with a trailing number is separated into separate variables.

For instance in the visual the above domain is displayed like this:

However this domain "mydomain1.net" is being separated into two domains, the 2LD and the SLD, displayed like this:

domain: mydomain1
domain: net

why is this happening and how can I fix it?

Thank you.

system · November 1, 2018, 3:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.