has_ipv4_prefix()

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Returns a value indicating whether a specified IPv4 address prefix appears in a text.

A valid IP address prefix is either a complete IPv4 address (192.168.1.11) or its prefix ending with a dot (192., 192.168. or 192.168.1.).

IP address entrances in a text must be properly delimited with nonalphanumeric characters. For example, properly delimited IP addresses are:

  • "These requests came from: 192.168.1.1, 10.1.1.115 and 10.1.1.201"
  • "05:04:54 127.0.0.1 GET /favicon.ico 404"

Syntax

has_ipv4_prefix(source , ip_address_prefix )

Learn more about syntax conventions.

Parameters

Name Type Required Description
source string ✔️ The text to search.
ip_address_prefix string ✔️ The IP address prefix for which to search.

Returns

true if the ip_address_prefix is a valid IPv4 address prefix, and it was found in source. Otherwise, the function returns false.

Tip

To search for many IPv4 prefixes at once, use the has_any_ipv4_prefix() function.

Examples

Properly formatted IPv4 prefix

print result=has_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0.')
result
true

Invalid IPv4 prefix

print result=has_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0')
result
false

Invalid IPv4 address

print result=has_ipv4_prefix('05:04:54 127.0.0.256 GET /favicon.ico 404', '127.0.')
result
false

Improperly delimited IPv4 address

print result=has_ipv4_prefix('05:04:54127.0.0.1 GET /favicon.ico 404', '127.0.')
result
false