The has_any_ipv4_prefix function in APL lets you determine if an IPv4 address starts with any prefix in a list of specified prefixes. This function is particularly useful for filtering, segmenting, and analyzing data involving IP addresses, such as log data, network traffic, or security events. By efficiently checking prefixes, you can identify IP ranges of interest for purposes like geolocation, access control, or anomaly detection.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

has_any_ipv4_prefix(ip_column, prefixes)

Parameters

ParameterTypeDescription
ip_columnstringThe column containing the IPv4 address.
prefixesdynamicA list of IPv4 prefixes to check against.

Returns

  • true if the IPv4 address matches any of the specified prefixes.
  • false otherwise.

Use case example

Detect requests from specific IP ranges.

Query

['sample-http-logs']
| extend has_ip_prefix = has_any_ipv4_prefix('192.168.0.1', dynamic(['172.16.', '192.168.']))

Run in Playground

Output

_timehas_ip_prefixstatus
2024-11-14T10:00:00true200
  • has_any_ipv4: Matches any IP address in a string column with a list of IP addresses or ranges.
  • has_ipv4_prefix: Checks if an IPv4 address matches a single prefix.
  • has_ipv4: Checks if a single IP address is present in a string column.