Mozilla ut_parse does not present ut_domain and other fields

splunk / utbox

URL Toolbox (UTBox) is a set of building blocks for Splunk specially created for URL manipulation. UTBox has been created to be modular, easy to use and easy to deploy in any Splunk environments.

https://preview.splunkbase.splunk.com/app/2734/

Apache License 2.0

8 stars 6 forks source link

Mozilla ut_parse does not present ut_domain and other fields #1

Closed Bamfax closed 2 years ago

Bamfax commented 2 years ago

Hi Daniel, Ian or Mayur,

could you please take a look at [https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-URL-Toolbox-not-working-with-mozilla-list/m-p/586630/thread-id/76192](Splunk Answer UTBox Mozilla Issue)?

It seems latest utbox v1.9.1 has a hicup on parsing out ut_domain and other fields when using the mozilla suffix list. iana and custom work, also did v1.8 with the mozilla list. Strange, with only that small codechange from 1.8 to 1.9.1.

Thanks a lot.

Bamfax commented 2 years ago

A rollback to v1.8 made it work again.

testcode: | makeresults count=1 | eval query="www.somedomain.cloudapp.net/" | eval list="mozilla" | `ut_parse(query, list)`

identical behavior on a searchhead cluster as on a single searchhead

cchansk commented 2 years ago

I can confirm this resolved my mozilla list issue with v1.9.1 after replacing everything in the default and bin folder.

dfederschmidt commented 2 years ago

@Bamfax please update to 1.9.2 that was just made available on Splunkbase and verify that the list is now loaded as expected. Feel free to re-open this in case of issues, Thanks!