ES|QL REGISTERED_DOMAIN command
The REGISTERED_DOMAIN processing command parses a fully qualified domain name (FQDN) string and extracts its parts (domain, registered domain, top-level domain, subdomain) into new columns using the public suffix list.
This command doesn't support multi-value inputs.
REGISTERED_DOMAIN prefix = expression
prefix- The prefix for the output columns. The extracted parts are available as
prefix.part_name. expression- The string expression containing the FQDN to parse.
The REGISTERED_DOMAIN command parses an FQDN string and extracts its parts into new columns.
The new columns are prefixed with the specified prefix followed by a dot (.).
The following columns are created:
prefix.domain- The full domain name (the input FQDN).
prefix.registered_domain- The registered domain (e.g.
example.co.ukforwww.example.co.uk). prefix.top_level_domain- The effective top-level domain (eTLD), e.g.
co.uk,com. prefix.subdomain- The subdomain part, if any (e.g.
wwwforwww.example.co.uk).
If a part is missing or the input is not a valid FQDN, the corresponding column contains null.
If the expression evaluates to null or blank, all output columns are null.
The following example parses an FQDN and extracts its parts:
ROW fqdn = "www.example.co.uk"
| REGISTERED_DOMAIN rd = fqdn
| KEEP rd.*
| rd.domain:keyword | rd.registered_domain:keyword | rd.top_level_domain:keyword | rd.subdomain:keyword |
|---|---|---|---|
| www.example.co.uk | example.co.uk | co.uk | www |
You can use the extracted parts in subsequent commands, for example to filter by registered domain:
FROM web_logs
| REGISTERED_DOMAIN rd = domain
| WHERE rd.registered_domain == "elastic.co"
| STATS COUNT(*) BY rd.subdomain