has_ipv4_prefix()
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Returns a value indicating whether a specified IPv4 address prefix appears in a text.
A valid IP address prefix is either a complete IPv4 address (192.168.1.11
) or its prefix ending with a dot (192.
, 192.168.
or 192.168.1.
).
IP address entrances in a text must be properly delimited with nonalphanumeric characters. For example, properly delimited IP addresses are:
- "These requests came from: 192.168.1.1, 10.1.1.115 and 10.1.1.201"
- "05:04:54 127.0.0.1 GET /favicon.ico 404"
Syntax
has_ipv4_prefix(
source ,
ip_address_prefix )
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
source | string |
✔️ | The text to search. |
ip_address_prefix | string |
✔️ | The IP address prefix for which to search. |
Returns
true
if the ip_address_prefix is a valid IPv4 address prefix, and it was found in source. Otherwise, the function returns false
.
Tip
To search for many IPv4 prefixes at once, use the has_any_ipv4_prefix() function.
Examples
Properly formatted IPv4 prefix
print result=has_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0.')
result |
---|
true |
Invalid IPv4 prefix
print result=has_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0')
result |
---|
false |
Invalid IPv4 address
print result=has_ipv4_prefix('05:04:54 127.0.0.256 GET /favicon.ico 404', '127.0.')
result |
---|
false |
Improperly delimited IPv4 address
print result=has_ipv4_prefix('05:04:54127.0.0.1 GET /favicon.ico 404', '127.0.')
result |
---|
false |