has_ipv4_prefix
This page explains how to use the has_ipv4_prefix function in APL.
The has_ipv4_prefix function checks if an IPv4 address starts with a specified prefix. Use this function to filter or match IPv4 addresses efficiently based on their prefixes. It is particularly useful when analyzing network traffic, identifying specific address ranges, or working with CIDR-based IP filtering in datasets.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
In Splunk SPL, you use string-based matching or CIDR functions for IP comparison. In APL, has_ipv4_prefix simplifies the process by directly comparing an IP against a prefix.
ANSI SQL users
ANSI SQL users
In ANSI SQL, there is no direct equivalent to has_ipv4_prefix. You would typically use substring or LIKE operators for partial matching. APL provides a dedicated function for this purpose, ensuring simplicity and accuracy.
Usage
Syntax
Parameters
| Parameter | Type | Description |
|---|---|---|
column_name | string | The column containing the IPv4 addresses to evaluate. |
prefix | string | The prefix to check for, expressed as a string (e.g., “192.0”). |
Returns
- Returns a Boolean (
trueorfalse) indicating whether the IPv4 address starts with the specified prefix.
Use case example
Use has_ipv4_prefix to filter logs for requests originating from a specific IP range.
Query
Output
| _time | has_prefix | status |
|---|---|---|
| 2024-11-14T10:00:00 | true | 200 |
List of related functions
- has_any_ipv4: Matches any IP address in a string column with a list of IP addresses or ranges.
- has_ipv4: Checks if a single IP address is present in a string column.