Skip to main content
Use the ipv6_compare function to compare two IPv6 addresses and determine their relative order. This function helps you evaluate whether one address is less than, equal to, or greater than another. It returns -1, 0, or 1 accordingly. You can use ipv6_compare in scenarios where IPv6 addresses are relevant, such as sorting traffic logs, grouping metrics by address ranges, or identifying duplicate or misordered entries. It’s especially useful in network observability and security use cases where working with IPv6 is common.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL doesn’t have a built-in function for directly comparing IPv6 addresses. Users often work around this limitation by converting the addresses into a comparable numeric format using external scripts or custom commands.
| eval ip1 = "2001:db8::1", ip2 = "2001:db8::2"
| eval comparison = if(ip1 == ip2, 0, if(ip1 < ip2, -1, 1))
ANSI SQL doesn’t natively support IPv6 comparisons. Typically, users must store IPv6 addresses as strings or binary values and write custom logic to compare them.
SELECT CASE
  WHEN ip1 = ip2 THEN 0
  WHEN ip1 < ip2 THEN -1
  ELSE 1
END AS comparison
FROM my_table

Usage

Syntax

ipv6_compare(ipv6_1, ipv6_2)

Parameters

NameTypeDescription
ipv6_1stringThe first IPv6 address to compare.
ipv6_2stringThe second IPv6 address to compare.

Returns

An integer that represents the result of the comparison:
  • -1 if ipv6_1 is less than ipv6_2
  • 0 if ipv6_1 is equal to ipv6_2
  • 1 if ipv6_1 is greater than ipv6_2

Example

Use ipv6_compare to identify whether requests from certain IPv6 addresses fall into specific ranges or appear out of expected order. Query 
['sample-http-logs']
| extend comparison = ipv6_compare('2001:db8::1', '2001:db8::abcd')
| project _time, uri, method, status, comparison
Run in Playground Output
_timeurimethodstatuscomparison
2025-06-29T22:10:00Z/products/1GET200-1
This example compares two static IPv6 addresses and attaches the result to each row for further filtering or grouping.
  • ipv6_is_match: Checks if an IPv6 address matches a given subnet. Use it for range filtering instead of sorting or comparison.
  • ipv4_is_private: Determines whether an IPv4 address is in a private range. Use this to filter non-public traffic.
  • ipv4_compare: Works the same way as ipv6_compare but for IPv4 addresses. Use it when your data contains IPv4 instead of IPv6.
I