The ipv4_is_private function determines if an IPv4 address belongs to a private range, as defined by RFC 1918. You can use this function to filter private addresses in datasets such as server logs, network traffic, and other IP-based data.

This function is especially useful in scenarios where you want to:

• Exclude private IPs from logs to focus on public traffic.
• Identify traffic originating from within an internal network.
• Simplify security analysis by categorizing IP addresses.

The private IPv4 addresses reserved for private networks by the Internet Assigned Numbers Authority (IANA) are the following:

#For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

eval is_private=if(cidrmatch("10.0.0.0/8", ip) OR cidrmatch("172.16.0.0/12", ip) OR cidrmatch("192.168.0.0/16", ip), 1, 0)

['sample-http-logs']
| extend is_private=ipv4_is_private(client_ip)

SELECT ip, 
       CASE 
         WHEN ip LIKE '10.%' OR ip LIKE '172.16.%' OR ip LIKE '192.168.%' THEN 'true'
         ELSE 'false'
       END AS is_private
FROM logs;

['sample-http-logs']
| extend is_private=ipv4_is_private(client_ip)

#Usage

#Syntax

ipv4_is_private(ip: string)

#Parameters

#Returns

• true: The input IP address is private.
• false: The input IP address isn’t private.

#Use case example

You can use ipv4_is_private to filter logs and focus on public traffic for external analysis.

Query

['sample-http-logs']
| extend is_private = ipv4_is_private('192.168.0.1')

Run in Playground

Output

#List of related functions

• ipv4_compare: Compares two IPv4 addresses lexicographically. Use for sorting or range evaluations.
• ipv4_is_in_range: Checks if an IP address is within a specified range.
• parse_ipv4: Converts a dotted-decimal IP address into a numeric representation.