I need a query that extracts TLDs from events and compares the results with a lookup table with blocklisted TLDs
I tried to use
sourcetype=<sourcetypename> |rex field=_raw "(?<TLD>\.\w+?)(?:$|\/)" | table TLD
It returned TLDs but included values I think maybe part of IPs e.g. .33, .136, .74 etc.