Use the ipv6_is_match function to determine whether an IPv6 address belongs to a specified IPv6 subnet. This function is useful when you want to classify, filter, or route network events based on IPv6 subnet membership. You can use ipv6_is_match in scenarios such as identifying traffic from a known address range, enforcing access control policies, or correlating logs to specific networks. It supports CIDR notation for subnet specification and returns a boolean value for each row in your dataset.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL does not have a dedicated function for matching IPv6 addresses against CIDR blocks. You typically use regular expressions or custom lookups to perform similar checks. In contrast, APL provides a built-in function that directly evaluates IPv6 CIDR membership.
| eval is_in_subnet=if(match(ipv6_field, "^2001:db8::/32"), "true", "false")
ANSI SQL does not have a standard function to check if an IPv6 address belongs to a subnet. You often implement this logic with string manipulation or rely on database-specific functions. APL simplifies this with ipv6_is_match, which accepts a full IPv6 address and a subnet in CIDR notation.
SELECT CASE 
  WHEN ip_address LIKE '2001:db8:%' THEN TRUE 
  ELSE FALSE 
END AS is_in_subnet
FROM logs

Usage

Syntax

ipv6_is_match(ipv6_address, ipv6_subnet)

Parameters

NameTypeDescription
ipv6_addressstringThe full IPv6 address you want to check.
ipv6_subnetstringThe target subnet in CIDR notation, e.g., 2001:db8::/32.

Returns

A boolean value:
  • true if the ipv6_address belongs to the specified ipv6_subnet.
  • false otherwise.

Example

Identify requests that originate from a known IPv6 subnet. Query 
['sample-http-logs']
| extend isInternal = ipv6_is_match('2001:db8:abcd::1', '2001:db8::/32')
| project _time, uri, method, status, isInternal
Run in Playground Output
_timeurimethodstatusisInternal
2025-06-28T13:04:10Z/healthGET200true
2025-06-28T13:05:22Z/api/ordersPOST201true
  • ipv4_is_match: Checks whether an IPv4 address belongs to a specified IPv4 subnet. Use it when working with IPv4 addresses.
  • parse_ipv4: Parses a string into an IPv4 address. Use it when working with raw IPv4 strings.