Use the ipv6_is_match function to determine whether an IPv6 address belongs to a specified IPv6 subnet. This function is useful when you want to classify, filter, or route network events based on IPv6 subnet membership.

You can use ipv6_is_match in scenarios such as identifying traffic from a known address range, enforcing access control policies, or correlating logs to specific networks. It supports CIDR notation for subnet specification and returns a boolean value for each row in your dataset.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL doesn’t have a dedicated function for matching IPv6 addresses against CIDR blocks. You typically use regular expressions or custom lookups to perform similar checks. In contrast, APL provides a built-in function that directly evaluates IPv6 CIDR membership.

```sql Splunk example | eval is_in_subnet=if(match(ipv6_field, "^2001:db8::/32"), "true", "false") ```` 
['sample-http-logs']
| extend is_in_subnet = ipv6_is_match('2001:db8:abcd:0012::0', '2001:db8::/32')

ANSI SQL doesn’t have a standard function to check if an IPv6 address belongs to a subnet. You often implement this logic with string manipulation or rely on database-specific functions. APL simplifies this with ipv6_is_match, which accepts a full IPv6 address and a subnet in CIDR notation.

```sql SQL example SELECT CASE WHEN ip_address LIKE '2001:db8:%' THEN TRUE ELSE FALSE END AS is_in_subnet FROM logs ``` 
['sample-http-logs']
| extend is_in_subnet = ipv6_is_match('2001:db8:abcd:0012::0', '2001:db8::/32')

Usage

Syntax

ipv6_is_match(ipv6_address, ipv6_subnet)

Parameters

Name Type Description
ipv6_address string The full IPv6 address you want to check.
ipv6_subnet string The target subnet in CIDR notation, e.g., 2001:db8::/32.

Returns

A boolean value:

  • true if the ipv6_address belongs to the specified ipv6_subnet.
  • false otherwise.

Example

Identify requests that originate from a known IPv6 subnet.

Query

['sample-http-logs']
| extend isInternal = ipv6_is_match('2001:db8:abcd::1', '2001:db8::/32')
| project _time, uri, method, status, isInternal

Run in Playground

Output

_time uri method status isInternal
2025-06-28T13:04:10Z /health GET 200 true
2025-06-28T13:05:22Z /api/orders POST 201 true
  • ipv4_is_match: Checks whether an IPv4 address belongs to a specified IPv4 subnet. Use it when working with IPv4 addresses.
  • parse_ipv4: Parses a string into an IPv4 address. Use it when working with raw IPv4 strings.

Good afternoon

I'm here to help you with the docs.

I
AIBased on your context