The has_any_ipv4_prefix function in APL lets you determine if an IPv4 address starts with any prefix in a list of specified prefixes. This function is particularly useful for filtering, segmenting, and analyzing data involving IP addresses, such as log data, network traffic, or security events. By efficiently checking prefixes, you can identify IP ranges of interest for purposes like geolocation, access control, or anomaly detection.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, checking if an IP address matches a prefix requires custom search logic with pattern matching or conditional expressions. In APL, has_any_ipv4_prefix provides a direct and optimized way to perform this check.
['sample-http-logs']
| where has_any_ipv4_prefix(uri, dynamic(['10.', '192.168.']))In ANSI SQL, you need to use LIKE clauses combined with OR operators to check prefixes. In APL, the has_any_ipv4_prefix function simplifies this process by accepting a dynamic list of prefixes.
['sample-http-logs']
| where has_any_ipv4_prefix(uri, dynamic(['10.', '192.168.']))Usage
Syntax
has_any_ipv4_prefix(ip_column, prefixes)Parameters
| Parameter | Type | Description |
|---|---|---|
ip_column |
string |
The column containing the IPv4 address. |
prefixes |
dynamic |
A list of IPv4 prefixes to check against. |
Returns
trueif the IPv4 address matches any of the specified prefixes.falseotherwise.
Use case example
Detect requests from specific IP ranges.
Query
['sample-http-logs']
| extend has_ip_prefix = has_any_ipv4_prefix('192.168.0.1', dynamic(['172.16.', '192.168.']))Output
| _time | has_ip_prefix | status |
|---|---|---|
| 2024-11-14T10:00:00 | true | 200 |
List of related functions
- has_any_ipv4: Matches any IP address in a string column with a list of IP addresses or ranges.
- has_ipv4_prefix: Checks if an IPv4 address matches a single prefix.
- has_ipv4: Checks if a single IP address is present in a string column.