domain_split

The input is a single field that should be a well formed DNS domain name. This transform splits the domain name into its highest registered domain and the sub-domain (which is everything to the left of the highest registered domain).

For example the highest registered domain of ‘www.info.prelert.com’ is ‘prelert.com’ and the sub-domain is ‘www.info’

  • single input
  • 2 outputs
  • default output fieldnames: “subDomain”, “hrd”
  • no arguments

Example

Split the domain field into its highest registered and sub-domain components writing the results to the sub_domain and highest_registered_domain fields.

"transforms":[
    {
          "transform" : "domain_split",
          "inputs" : ["domain"],
          "outputs" : ["sub_domain", "highest_registered_domain"]
    }
]

In the example above, the following input data:

time,                domain,               bytes_out
2015-03-01 01:00:00, www.google.com,       63529
2015-03-01 01:00:00, www.google.com.au,    253
2015-03-01 01:00:00, www.osc.state.ny.us,  736
2015-03-01 01:00:00, www.tax.state.ny.us,  9836
2015-03-01 01:00:00, assembly.state.ny.us, 897
2015-03-01 01:00:00, www.prelert.com,      1873
2015-03-01 01:00:00, info.prelert.com,     555

…will be transformed to:

time,                domain,               sub_domain,     highest_registered_domain, bytes_out
2015-03-01 01:00:00, www.google.com,       www,            google.com,                63529
2015-03-01 01:00:00, www.google.com.au,    www,            google.com.au,             253
2015-03-01 01:00:00, www.osc.state.ny.us,  www.osc.state,  ny.us,                     736
2015-03-01 01:00:00, www.tax.state.ny.us,  www.tax.state,  ny.us,                     9836
2015-03-01 01:00:00, assembly.state.ny.us, assembly.state, ny.us,                     897
2015-03-01 01:00:00, www.prelert.com,      www,            prelert.com,               1873
2015-03-01 01:00:00, info.prelert.com,     info,           prelert.com,               555