ipv4_is_match()

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Matches two IPv4 strings. The two IPv4 strings are parsed and compared while accounting for the combined IP-prefix mask calculated from argument prefixes, and the optional prefix argument.

Syntax

ipv4_is_match(ip1,ip2[ ,prefix])

Learn more about syntax conventions.

Parameters

Name Type Required Description
ip1, ip2 string ✔️ An expression representing an IPv4 address. IPv4 strings can be masked using IP-prefix notation.
prefix int An integer from 0 to 32 representing the number of most-significant bits that are taken into account.

IP-prefix notation

IP-prefix notation (also known as CIDR notation) is a concise way of representing an IP address and its associated network mask. The format is <base IP>/<prefix length>, where the prefix length is the number of leading 1 bits in the netmask. The prefix length determines the range of IP addresses that belong to the network.

For IPv4, the prefix length is a number between 0 and 32. So the notation 192.168.2.0/24 represents the IP address 192.168.2.0 with a netmask of 255.255.255.0. This netmask has 24 leading 1 bits, or a prefix length of 24.

For IPv6, the prefix length is a number between 0 and 128. So the notation fe80::85d:e82c:9446:7994/120 represents the IP address fe80::85d:e82c:9446:7994 with a netmask of ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00. This netmask has 120 leading 1 bits, or a prefix length of 120.

Returns

  • true: If the long representation of the first IPv4 string argument is equal to the second IPv4 string argument.
  • false: Otherwise.
  • null: If conversion for one of the two IPv4 strings wasn't successful.

Note

When matching against an IPv4 address that's not a range, we recommend using the equals operator (==), for better performance.

Examples

Simple example

print ipv4_is_match('192.168.1.1/24', '192.168.1.255')

Output

print_0
true

IPv4 comparison equality - IP-prefix notation specified inside the IPv4 strings

datatable(ip1_string:string, ip2_string:string)
[
 '192.168.1.0',    '192.168.1.0',       // Equal IPs
 '192.168.1.1/24', '192.168.1.255',     // 24 bit IP-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255/24',  // 24 bit IP-prefix is used for comparison
 '192.168.1.1/30', '192.168.1.255/24',  // 24 bit IP-prefix is used for comparison
]
| extend result = ipv4_is_match(ip1_string, ip2_string)

Output

ip1_string ip2_string result
192.168.1.0 192.168.1.0 true
192.168.1.1/24 192.168.1.255 true
192.168.1.1 192.168.1.255/24 true
192.168.1.1/30 192.168.1.255/24 true

IPv4 comparison equality - IP-prefix notation specified inside the IPv4 strings and an additional argument of the ipv4_is_match() function

datatable(ip1_string:string, ip2_string:string, prefix:long)
[
 '192.168.1.1',    '192.168.1.0',   31, // 31 bit IP-prefix is used for comparison
 '192.168.1.1/24', '192.168.1.255', 31, // 24 bit IP-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255', 24, // 24 bit IP-prefix is used for comparison
]
| extend result = ipv4_is_match(ip1_string, ip2_string, prefix)

Output

ip1_string ip2_string prefix result
192.168.1.1 192.168.1.0 31 true
192.168.1.1/24 192.168.1.255 31 true
192.168.1.1 192.168.1.255 24 true