The has_any_ipv4 function in Axiom Processing Language (APL) allows you to check whether a specified column contains any IPv4 addresses from a given set of IPv4 addresses or CIDR ranges. This function is useful when analyzing logs, tracing OpenTelemetry data, or investigating security events to quickly filter records based on a predefined list of IP addresses or subnets.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

has_any_ipv4(column, ip_list)

Parameters

ParameterDescriptionType
columnThe column to evaluate.string
ip_listA list of IPv4 addresses or CIDR ranges.dynamic

Returns

A boolean value indicating whether the specified column contains any of the given IPv4 addresses or matches any of the CIDR ranges in ip_list.

Use case example

When analyzing logs, you can use has_any_ipv4 to filter requests from specific IPv4 addresses or subnets.

Query

['sample-http-logs']
| extend has_ip = has_any_ipv4('192.168.1.1', dynamic(['192.168.1.1', '192.168.0.0/16']))

Run in Playground

Output

_timehas_ipstatus
2024-11-14T10:00:00true200

This query identifies log entries from specific IPs or subnets.

  • has_ipv4_prefix: Checks if an IPv4 address matches a single prefix.
  • has_ipv4: Checks if a single IP address is present in a string column.