The ipv4_compare function in APL allows you to compare two IPv4 addresses lexicographically or numerically. This is useful for sorting IP addresses, validating CIDR ranges, or detecting overlaps between IP ranges. It’s particularly helpful in analyzing network logs, performing security investigations, and managing IP-based filters or rules.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

ipv4_compare(ip1, ip2)

Parameters

ParameterTypeDescription
ip1stringThe first IPv4 address to compare.
ip2stringThe second IPv4 address to compare.

Returns

  • Returns 1 if the long representation of ip1 is greater than the long representation of ip2
  • Returns 0 if the long representation of ip1 is equal to the long representation of ip2
  • Returns -1 if the long representation of ip1 is less than the long representation of ip2
  • Returns null if the conversion fails.

Use case example

You can use ipv4_compare to sort logs based on IP addresses or to identify connections between specific IPs.

Query

['sample-http-logs']
| extend ip1 = '192.168.1.1', ip2 = '192.168.1.10'
| extend comparison = ipv4_compare(ip1, ip2)

Run in Playground

Output

ip1ip2comparison
192.168.1.1192.168.1.10-1

This query compares two hardcoded IP addresses. It returns -1, indicating that 192.168.1.1 is lexicographically less than 192.168.1.10.

  • ipv4_is_in_range: Checks if an IP address is within a specified range.
  • ipv4_is_private: Checks if an IPv4 address is within private IP ranges.
  • parse_ipv4: Converts a dotted-decimal IP address into a numeric representation.