Check if Field Contains Valid IP Address
Check if field contains valid IP address using the cidr()
function
Query
case {
cidr("address", subnet=["0.0.0.0/0", "::/0"]) | ip := address;
*
}
Introduction
The cidr()
function can be used to filter
events using CIDR subnets and is used for both IPv4 and IPv6
addresses.
In this example, the cidr()
function is
used to check if a field contains valid IP addresses, both IPv4
and IPv6.
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0["Expression"] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
case { cidr("address", subnet=["0.0.0.0/0", "::/0"]) | ip := address; * }
Checks if a field contains valid IP addresses, both IPv4 and IPv6, and then assigns that address to the field ip.
If you only want to check for valid IPv4 adresses, use:
cidr("address", subnet="0.0.0.0/0")
If you only want to check for valid IPv6 adresses, use:
cidr("address", subnet="::/0")
Event Result set.
Summary and Results
The query is used to check for valid IP addresses.