The ipv4_netmask_suffix function in APL extracts the netmask suffix from an IPv4 address. The netmask suffix, also known as the subnet prefix length, specifies how many bits are used for the network portion of the address.

This function is useful for network log analysis, security auditing, and infrastructure monitoring. It helps you categorize IP addresses by their subnets, enabling you to detect patterns or anomalies in network traffic or to manage IP allocations effectively.

​

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

​

Usage

​

Syntax

ipv4_netmask_suffix(ipv4address)

​

Parameters

​

Returns

• An integer representing the netmask suffix. For example, 24 for 192.168.1.1/24.
• Returns null if the input is not a valid IPv4 address in CIDR notation.

​

Use case example

When analyzing network traffic logs, you can extract the netmask suffix to group or filter traffic by subnets.

Query

['sample-http-logs']
| extend netmask = ipv4_netmask_suffix('192.168.1.1/24')

Run in Playground

Output

​

List of related functions

• ipv4_compare: Compares two IPv4 addresses lexicographically. Use for sorting or range evaluations.
• ipv4_is_in_range: Checks if an IP address is within a specified range.
• ipv4_is_private: Checks if an IPv4 address is within private IP ranges.
• parse_ipv4: Converts a dotted-decimal IP address into a numeric representation.