The has_ipv4_prefix function checks if an IPv4 address starts with a specified prefix. Use this function to filter or match IPv4 addresses efficiently based on their prefixes. It is particularly useful when analyzing network traffic, identifying specific address ranges, or working with CIDR-based IP filtering in datasets.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use string-based matching or CIDR functions for IP comparison. In APL, has_ipv4_prefix simplifies the process by directly comparing an IP against a prefix.
| eval is_match = if(cidrmatch("192.168.0.0/24", ip), true, false)
In ANSI SQL, there is no direct equivalent to has_ipv4_prefix. You would typically use substring or LIKE operators for partial matching. APL provides a dedicated function for this purpose, ensuring simplicity and accuracy.
SELECT *
FROM sample_http_logs
WHERE ip LIKE '192.168.0%'

Usage

Syntax

has_ipv4_prefix(column_name, prefix)

Parameters

ParameterTypeDescription
column_namestringThe column containing the IPv4 addresses to evaluate.
prefixstringThe prefix to check for, expressed as a string (e.g., “192.0”).

Returns

  • Returns a Boolean (true or false) indicating whether the IPv4 address starts with the specified prefix.

Use case example

Use has_ipv4_prefix to filter logs for requests originating from a specific IP range. Query 
['sample-http-logs']
| extend has_prefix= has_ipv4_prefix('192.168.0.1', '192.168.')
Run in Playground Output
_timehas_prefixstatus
2024-11-14T10:00:00true200
  • has_any_ipv4: Matches any IP address in a string column with a list of IP addresses or ranges.
  • has_ipv4: Checks if a single IP address is present in a string column.