ipv4_compare function in APL allows you to compare two IPv4 addresses lexicographically or numerically. This is useful for sorting IP addresses, validating CIDR ranges, or detecting overlaps between IP ranges. It’s particularly helpful in analyzing network logs, performing security investigations, and managing IP-based filters or rules.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.Splunk SPL users
Splunk SPL users
In Splunk SPL, similar functionality can be achieved using
sort or custom commands. In APL, ipv4_compare is a dedicated function for comparing two IPv4 addresses.ANSI SQL users
ANSI SQL users
In ANSI SQL, you might manually parse or order IP addresses as strings. In APL,
ipv4_compare simplifies this task with built-in support for IPv4 comparison.Usage
Syntax
Parameters
| Parameter | Type | Description |
|---|---|---|
ip1 | string | The first IPv4 address to compare. |
ip2 | string | The second IPv4 address to compare. |
Returns
- Returns
1if the long representation ofip1is greater than the long representation ofip2 - Returns
0if the long representation ofip1is equal to the long representation ofip2 - Returns
-1if the long representation ofip1is less than the long representation ofip2 - Returns
nullif the conversion fails.
Use case example
You can useipv4_compare to sort logs based on IP addresses or to identify connections between specific IPs.
Query
| ip1 | ip2 | comparison |
|---|---|---|
| 192.168.1.1 | 192.168.1.10 | -1 |
-1, indicating that 192.168.1.1 is lexicographically less than 192.168.1.10.
List of related functions
- ipv4_is_in_range: Checks if an IP address is within a specified range.
- ipv4_is_private: Checks if an IPv4 address is within private IP ranges.
- parse_ipv4: Converts a dotted-decimal IP address into a numeric representation.