Skip to main content

Network functions

Functions for working with IP addresses, CIDR ranges, and network operations.

cidr_contains(cidr, ip)

Tests whether an IP address falls within a CIDR range.

Parameters

  • cidr - String expression representing a CIDR range (e.g., "192.168.1.0/24" or "2001:db8::/32")
  • ip - String expression representing an IP address to test

Returns

  • true - The IP address is within the CIDR range
  • false - The IP address is outside the CIDR range
  • null - Invalid CIDR format, invalid IP format, or either parameter is null

Description

The cidr_contains() function checks whether the specified IP address falls within the given CIDR range. It supports both IPv4 and IPv6 addresses and CIDR notations. The function returns null for invalid inputs rather than raising an error, making it safe to use when processing untrusted network data.

Examples

Check if specific IP addresses fall within a CIDR range. The function works with both IPv4 and IPv6 addresses, and returns true when the IP is within the range, false when outside, or null for invalid inputs.

cidr_contains('192.168.1.0/24', '192.168.1.100')
# Returns: true

cidr_contains('2001:db8::/32', '2001:db8::1')
# Returns: true

cidr_contains('10.0.0.0/8', '192.168.1.1')
# Returns: false

cidr_contains('not_a_cidr', '192.168.1.1')
# Returns: null

Filter security events to show only traffic originating from internal network ranges. This pattern is common in security analytics when identifying which events came from inside versus outside the network perimeter.

FROM security_events
| WHERE cidr_contains('10.0.0.0/8', source_ip)
| SELECT timestamp, source_ip, action

is_ipv4(ip)

Tests whether a string is a valid IPv4 address.

Parameters

  • ip - String expression to test

Returns

  • true - The string is a valid IPv4 address
  • false - The string is a valid IPv6 address
  • null - The string is not a valid IP address, empty string, or null

Description

The is_ipv4() function validates whether the input string represents a valid IPv4 address. It returns true for valid IPv4 addresses, false for valid IPv6 addresses, and null for invalid or non-IP strings. This three-valued logic distinguishes between "definitely IPv4", "definitely not IPv4 but valid IPv6", and "not a valid IP at all".

Note that IPv4-mapped IPv6 addresses (like ::ffff:192.168.1.1) are normalized to their IPv4 representation and return true, since they represent IPv4 addresses.

Examples

Test individual IP addresses to determine their type. The function returns true for IPv4, false for IPv6, and null for anything that isn't a valid IP address.

is_ipv4('192.168.1.100')
# Returns: true

is_ipv4('2001:db8::1')
# Returns: false

is_ipv4('not_an_ip')
# Returns: null

Filter network logs to show only events with IPv4 source addresses. This is useful when analyzing traffic patterns or building reports that need to separate IPv4 and IPv6 connections.

FROM network_logs
| WHERE is_ipv4(source_ip)
| SELECT timestamp, source_ip, destination_ip

Count how many connections use IPv4 versus IPv6. The AGG command groups by the result of is_ipv4(), creating separate counts for true (IPv4), false (IPv6), and null (invalid addresses).

FROM network_logs
| AGG ipv4_count = count() BY is_ipv4(source_ip)

is_ipv6(ip)

Tests whether a string is a valid IPv6 address.

Parameters

  • ip - String expression to test

Returns

  • true - The string is a valid IPv6 address
  • false - The string is a valid IPv4 address
  • null - The string is not a valid IP address, empty string, or null

Description

The is_ipv6() function validates whether the input string represents a valid IPv6 address. It returns true for valid IPv6 addresses, false for valid IPv4 addresses, and null for invalid or non-IP strings. This three-valued logic distinguishes between "definitely IPv6", "definitely not IPv6 but valid IPv4", and "not a valid IP at all".

Note that IPv4-mapped IPv6 addresses (like ::ffff:192.168.1.1) are normalized to their IPv4 representation and return false, since they ultimately represent IPv4 addresses.

Examples

Test individual IP addresses to determine their type. The function recognizes all IPv6 formats including compressed notation and the loopback address.

is_ipv6('2001:db8::1')
# Returns: true

is_ipv6('::1')
# Returns: true

is_ipv6('192.168.1.100')
# Returns: false

is_ipv6('not_an_ip')
# Returns: null

Filter network logs to show only events with IPv6 source addresses. This lets you analyze IPv6-specific traffic or build reports segmented by IP version.

FROM network_logs
| WHERE is_ipv6(source_ip)
| SELECT timestamp, source_ip, destination_ip

Classify IP addresses by version using a case expression. The SET command creates a new field that labels each address as IPv4, IPv6, or Invalid based on validation results, then aggregates the counts.

FROM network_logs
| SET ip_version = case(
    is_ipv4(source_ip): "IPv4",
    is_ipv6(source_ip): "IPv6",
    "Invalid"
  )
| AGG count() BY ip_version

Working with network data

Detect external connections originating from internal hosts by combining multiple CIDR checks. The first WHERE filters for internal source addresses, while the second excludes internal destinations, leaving only outbound connections to external networks.

FROM network_connections
| WHERE cidr_contains('10.0.0.0/8', source_ip)
| WHERE NOT cidr_contains('10.0.0.0/8', destination_ip)
| SELECT
    timestamp,
    source_ip,
    destination_ip,
    is_ipv4(destination_ip) AS dest_is_ipv4

Analyze DNS query patterns by IP version. The case expression classifies resolved IP addresses as A records (IPv4) or AAAA records (IPv6), then counts queries by type to show adoption trends.

FROM dns_queries
| SET query_type = case(
    is_ipv4(resolved_ip): "A",
    is_ipv6(resolved_ip): "AAAA",
    "OTHER"
  )
| AGG query_count = count() BY query_type
| SORT query_count DESC