bit ugly.. but should work up You could fiddle up with `map` command to make it more deeper | makeresults
| eval myurl="one",url="fake.com.com"
| append [| makeresults | eval myurl="two",url="google.com.some.com"]
| append [| makeresults | eval myurl="three",url="google.com"]
| append [| makeresults | eval myurl="four",url="msn.org.org"]
| append [| makeresults | eval myurl="five",url="geunine.gen2.com"]
| table myurl,url
| rex field=url "(?<tld1>[^\.]+$)"
| rex field=url "(?<tld2>[^\.]+)\.[^\.]+$"
| rex field=url "(?<tld3>[^\.]+)\.[^\.]+\.[^\.]+$"
| rex field=url "(?<tld4>[^\.]+)\.[^\.]+\.[^\.]+\.[^\.]+$"
| eval double_tld=case(tld1=tld2, "found_tld2", tld1=tld3,"found_tld3", tld1=tld4, "found_tld4")
| eval double_tld_status=if(len(double_tld)>0,"double_tld_found","not_found")
| fields - tld*
... View more