Skip to main content

ipv4ToNumber Search Operator

The ipv4ToNumber operator allows you to convert an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format. This decimal format makes it easier to compare one IP address to another, rather than relying on IP masking.

tip

The CIDR operator allows you to leverage Classless Inter-Domain Routing (CIDR) notation to narrow the analysis of IPv4 networks to specific subnets.

Syntax

ipv4ToNumber(<ip_addr>) [as <field>]

Rules

  • The input to the function must be a valid IPv4 address string.

Examples

Parse IP addresses and convert to number

The following query parses IP addresses, and converts them to numbers, then uses the fields operator to remove all fields except "ip" and "num".

_sourceCategory=service remote_ip
| parse "[remote_ip=*]" as ip
| ipv4ToNumber(ip) as num
| fields ip, num

would produce results like:

ipv4

Detect the IP range for a single user

The following query looks at the number of IP addresses, and the IP range, by user. This could be used to determine if someone has hacked a user account.

_sourceCategory=service remote_ip
| parse "auth=User:*:" as user
| parse "[remote_ip=*]" as remote_ip
| ipv4ToNumber(remote_ip) as remote_ip_dec
| max(remote_ip_dec) as max_ip, min(remote_ip_dec) as min_ip, count_distinct(remote_ip_dec) as count_ips by user
| max_ip - min_ip as ip_range
| where ip_range > 0
| fields user, count_ips, ip_range

would produce results like:

ipv4ToNumber

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.