axiomhq
diff --git a/‎apl/scalar-functions/ip-functions.mdx
Lines changed: 6 additions & 1 deletion b/‎apl/scalar-functions/ip-functions.mdx
Lines changed: 6 additions & 1 deletion
diff --git a/‎apl/scalar-functions/ip-functions/format-ipv4-mask.mdx
Lines changed: 91 additions & 0 deletions b/‎apl/scalar-functions/ip-functions/format-ipv4-mask.mdx
Lines changed: 91 additions & 0 deletions
diff --git a/‎apl/scalar-functions/ip-functions/ipv6-compare.mdx
Lines changed: 104 additions & 0 deletions b/‎apl/scalar-functions/ip-functions/ipv6-compare.mdx
Lines changed: 104 additions & 0 deletions
diff --git a/‎apl/scalar-functions/ip-functions/ipv6-is-in-any-range.mdx
Lines changed: 101 additions & 0 deletions b/‎apl/scalar-functions/ip-functions/ipv6-is-in-any-range.mdx
Lines changed: 101 additions & 0 deletions
@@ -11,17 +11,22 @@ The table summarizes the IP functions available in APL.
 | Function                                                                                | Description |
 |-----------------------------------------------------------------------------------------|-------------|
 | [format_ipv4](/apl/scalar-functions/ip-functions/format-ipv4)                           | Parses input with a netmask and returns string representing IPv4 address.            |
+| [format_ipv4_mask](/apl/scalar-functions/ip-functions/format-ipv4-mask)                           | Formats an IPv4 address and a bitmask into CIDR notation.            |
 | [geo_info_from_ip_address](/apl/scalar-functions/ip-functions/geo-info-from-ip-address) | Extracts geographical, geolocation, and network information from IP addresses.            |
 | [has_any_ipv4](/apl/scalar-functions/ip-functions/has-any-ipv4)                         | Returns a Boolean value indicating whether the specified column contains any of the given IPv4 addresses.            |
 | [has_any_ipv4_prefix](/apl/scalar-functions/ip-functions/has-any-ipv4-prefix)           | Returns a Boolean value indicating whether the IPv4 address matches any of the specified prefixes.            |
 | [has_ipv4](/apl/scalar-functions/ip-functions/has-ipv4)                                 | Returns a Boolean value indicating whether the given IPv4 address is valid and found in the source text.            |
 | [has_ipv4_prefix](/apl/scalar-functions/ip-functions/has-ipv4-prefix)                   | Returns a Boolean value indicating whether the given IPv4 address starts with a specified prefix.            |
 | [ipv4_compare](/apl/scalar-functions/ip-functions/ipv4-compare)                         | Compares two IPv4 addresses.            |
-| [ipv4_is_in_range](/apl/scalar-functions/ip-functions/ipv4-is-in-range)                 | Checks if IPv4 string address is in IPv4-prefix notation range.            |
 | [ipv4_is_in_any_range](/apl/scalar-functions/ip-functions/ipv4-is-in-any-range)         | Returns a Boolean value indicating whether the given IPv4 address is in any specified range.            |
+| [ipv4_is_in_range](/apl/scalar-functions/ip-functions/ipv4-is-in-range)                 | Checks if IPv4 string address is in IPv4-prefix notation range.            |
 | [ipv4_is_match](/apl/scalar-functions/ip-functions/ipv4-is-match)                       | Returns a Boolean value indicating whether the given IPv4 matches the specified pattern.            |
 | [ipv4_is_private](/apl/scalar-functions/ip-functions/ipv4-is-private)                   | Checks if IPv4 string address belongs to a set of private network IPs.            |
 | [ipv4_netmask_suffix](/apl/scalar-functions/ip-functions/ipv4-netmask-suffix)           | Returns the value of the IPv4 netmask suffix from IPv4 string address.            |
+| [ipv6_compare](/apl/scalar-functions/ip-functions/ipv6-compare)                         | Compares two IPv6 addresses.            |
+| [ipv6_is_in_any_range](/apl/scalar-functions/ip-functions/ipv6-is-in-any-range)         | Returns a Boolean value indicating whether the given IPv6 address is in any specified range.            |
+| [ipv6_is_in_range](/apl/scalar-functions/ip-functions/ipv6-is-in-range)                 | Checks if IPv6 string address is in IPv6-prefix notation range.            |
+| [ipv6_is_match](/apl/scalar-functions/ip-functions/ipv6-is-match)                       | Returns a Boolean value indicating whether the given IPv6 matches the specified pattern.            |
 | [parse_ipv4](/apl/scalar-functions/ip-functions/parse-ipv4)                             | Converts input to long (signed 64-bit) number representation.            |
 | [parse_ipv4_mask](/apl/scalar-functions/ip-functions/parse-ipv4-mask)                   | Converts input string and IP-prefix mask to long (signed 64-bit) number representation.            |
 
 
@@ -0,0 +1,91 @@
+---
+title: format_ipv4_mask
+description: 'This page explains how to use the format_ipv4_mask function in APL.'
+---
+
+Use the `format_ipv4_mask` function to format an IPv4 address and a bitmask into Classless Inter-Domain Routing (CIDR) notation. This function is useful when you need to standardize or analyze network addresses, especially in datasets that contain raw IPs or numerical IP representations. It supports both string-based and numeric IPv4 inputs and can apply an optional prefix to generate a subnet mask.
+
+You can use `format_ipv4_mask` to normalize IP addresses, extract network segments, or apply filtering or grouping logic based on subnet granularity.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+SPL doesn’t have a direct built-in equivalent to `format_ipv4_mask`. To format IPv4 addresses with subnet masks, you typically use custom field extractions or external lookup tables. In contrast, APL provides a native function for this task, simplifying analysis at the network or subnet level.
+
+<CodeGroup>
+```sql Splunk example
+| eval cidr=ip."/24"
+````
+
+```kusto APL equivalent
+format_ipv4_mask('192.168.1.10', 24)
+```
+
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+Standard SQL lacks native functions for manipulating IP addresses or CIDR notation. This type of transformation usually requires application-side logic or user-defined functions (UDFs). APL simplifies this by offering a first-class function for formatting IPs directly in queries.
+
+<CodeGroup>
+```sql SQL example
+-- Requires custom UDF or external processing
+SELECT format_ip_with_mask(ip, 24) FROM connections
+```
+
+```kusto APL equivalent
+format_ipv4_mask(ip, 24)
+```
+
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+format_ipv4_mask(ip, prefix)
+```
+
+### Parameters
+
+| Name   | Type   | Required | Description                                                                                             |
+| ------ | ------ | -------- | ------------------------------------------------------------------------------------------------------- |
+| ip     | string | ✔️       | The IPv4 address in CIDR notation. You can use a string (e.g., `'192.168.1.1'`) or a big-endian number. |
+| prefix | int    | ✔️       | An integer between 0 and 32. Specifies how many leading bits to include in the mask.          |
+
+### Returns
+
+A string representing the IPv4 address in CIDR notation if the conversion succeeds. If the conversion fails, the function returns an empty string.
+
+## Example
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| extend subnet = format_ipv4_mask('192.168.1.54', 24)
+| project _time, subnet
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20extend%20subnet%20%3D%20format_ipv4_mask('192.168.1.54'%2C%2024)%20%7C%20project%20_time%2C%20subnet%22%7D)
+
+**Output**
+
+| _time         | subnet |
+| -------------- | ----- |
+| 1Jun 30, 11:11:46 | 192.168.1.0/24   |
+
+## List of related functions
+
+- [format_ipv4](/apl/scalar-functions/ip-functions/format-ipv4): Converts a 32-bit unsigned integer to an IPv4 address string. Use it when your input is a raw numeric IP instead of a prefix length.
+- [parse_ipv4](/apl/scalar-functions/ip-functions/parse-ipv4): Parses an IPv4 string into a numeric representation. Use it when you want to do arithmetic or masking on IP addresses.
+- [ipv4_is_in_range](/apl/scalar-functions/ip-functions/ipv4-is-in-range): Checks whether an IPv4 address falls within a given range. Use it when you need to filter or classify IPs against subnets.
@@ -0,0 +1,104 @@
+---
+title: ipv6_compare
+description: 'This page explains how to use the ipv6_compare function in APL.'
+---
+
+Use the `ipv6_compare` function to compare two IPv6 addresses and determine their relative order. This function helps you evaluate whether one address is less than, equal to, or greater than another. It returns `-1`, `0`, or `1` accordingly.
+
+You can use `ipv6_compare` in scenarios where IPv6 addresses are relevant, such as sorting traffic logs, grouping metrics by address ranges, or identifying duplicate or misordered entries. It’s especially useful in network observability and security use cases where working with IPv6 is common.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+Splunk SPL does not have a built-in function for directly comparing IPv6 addresses. Users often work around this limitation by converting the addresses into a comparable numeric format using external scripts or custom commands.
+
+<CodeGroup>
+```sql Splunk example
+| eval ip1 = "2001:db8::1", ip2 = "2001:db8::2"
+| eval comparison = if(ip1 == ip2, 0, if(ip1 < ip2, -1, 1))
+````
+
+```kusto APL equivalent
+print comparison = ipv6_compare('2001:db8::1', '2001:db8::2')
+```
+
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+ANSI SQL does not natively support IPv6 comparisons. Typically, users must store IPv6 addresses as strings or binary values and write custom logic to compare them.
+
+<CodeGroup>
+```sql SQL example
+SELECT CASE
+  WHEN ip1 = ip2 THEN 0
+  WHEN ip1 < ip2 THEN -1
+  ELSE 1
+END AS comparison
+FROM my_table
+```
+
+```kusto APL equivalent
+print comparison = ipv6_compare('2001:db8::1', '2001:db8::2')
+```
+
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+ipv6_compare(ipv6_1, ipv6_2)
+```
+
+### Parameters
+
+| Name     | Type   | Description                         |
+| -------- | ------ | ----------------------------------- |
+| `ipv6_1` | string | The first IPv6 address to compare.  |
+| `ipv6_2` | string | The second IPv6 address to compare. |
+
+### Returns
+
+An integer that represents the result of the comparison:
+
+- `-1` if `ipv6_1` is less than `ipv6_2`
+- `0` if `ipv6_1` is equal to `ipv6_2`
+- `1` if `ipv6_1` is greater than `ipv6_2`
+
+## Example
+
+Use `ipv6_compare` to identify whether requests from certain IPv6 addresses fall into specific ranges or appear out of expected order.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| extend comparison = ipv6_compare('2001:db8::1', '2001:db8::abcd')
+| project _time, uri, method, status, comparison
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20extend%20comparison%20%3D%20ipv6_compare('2001%3Adb8%3A%3A1'%2C%20'2001%3Adb8%3A%3Aabcd')%20%7C%20project%20_time%2C%20uri%2C%20method%2C%20status%2C%20comparison%22%7D)
+
+**Output**
+
+| _time               | uri         | method | status | comparison |
+| -------------------- | ----------- | ------ | ------ | ---------- |
+| 2025-06-29T22:10:00Z | /products/1 | GET    | 200    | -1         |
+
+This example compares two static IPv6 addresses and attaches the result to each row for further filtering or grouping.
+
+## List of related functions
+
+- [ipv6_is_match](/apl/scalar-functions/ip-functions/ipv6-is-match): Checks if an IPv6 address matches a given subnet. Use it for range filtering instead of sorting or comparison.
+- [ipv4_is_private](/apl/scalar-functions/ip-functions/ipv4-is-private): Determines whether an IPv4 address is in a private range. Use this to filter non-public traffic.
+- [ipv4_compare](/apl/scalar-functions/ip-functions/ipv4-compare): Works the same way as `ipv6_compare` but for IPv4 addresses. Use it when your data contains IPv4 instead of IPv6.
@@ -0,0 +1,101 @@
+---
+title: ipv6_is_in_any_range
+description: 'This page explains how to use the ipv6_is_in_any_range function in APL.'
+---
+
+Use the `ipv6_is_in_any_range` function to determine whether a given IPv6 address belongs to any of a specified set of IPv6 CIDR ranges. This function is particularly useful in log enrichment, threat detection, and network analysis tasks that involve validating or filtering IP addresses against allowlists or blocklists.
+
+You can use this function to:
+- Detect whether traffic originates from known internal or external networks.
+- Match IPv6 addresses against predefined address ranges for compliance or security auditing.
+- Filter datasets based on whether requesters fall into allowed or disallowed IP zones.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+Splunk doesn’t offer a built-in function that directly checks if an IP falls within a list of CIDR ranges. Typically, SPL users must write custom logic using `cidrmatch()` repeatedly or rely on lookup tables.
+
+<CodeGroup>
+```sql Splunk example
+| eval is_internal = if(cidrmatch("2001:db8::/32", ip), "true", "false")
+````
+
+```kusto APL equivalent
+ipv6_is_in_any_range('2001:db8::1', dynamic(['2001:db8::/32']))
+```
+
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+ANSI SQL doesn’t natively support IPv6-aware CIDR range checks. Such functionality usually requires user-defined functions or external extensions.
+
+<CodeGroup>
+```sql SQL example
+-- Typically handled via stored procedures or UDFs in extended SQL environments
+SELECT ip, is_in_range(ip, '2001:db8::/32') FROM traffic_logs
+```
+
+```kusto APL equivalent
+ipv6_is_in_any_range('2001:db8::1', dynamic(['2001:db8::/32']))
+```
+
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+ipv6_is_in_any_range(ipv6_address, ipv6_ranges)
+```
+
+### Parameters
+
+| Name           | Type            | Description                                               |
+| -------------- | --------------- | --------------------------------------------------------- |
+| `ipv6_address` | `string`        | An IPv6 address in standard format (e.g., `2001:db8::1`). |
+| `ipv6_ranges`  | `dynamic array` | A JSON array of IPv6 CIDR strings to compare against.     |
+
+### Returns
+
+A `bool` value:
+
+- `true` if the given IPv6 address is within any of the provided CIDR ranges.
+- `false` otherwise.
+
+## Example
+
+You want to detect HTTP requests from a specific internal IPv6 block.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| extend inRange = ipv6_is_in_any_range('2001:db8::1234', dynamic(['2001:db8::/32', 'fd00::/8']))
+| project _time, uri, method, status, inRange
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20extend%20inRange%20%3D%20ipv6_is_in_any_range('2001%3Adb8%3A%3A1234'%2C%20dynamic(%5B'2001%3Adb8%3A%3A%2F32'%2C%20'fd00%3A%3A%2F8'%5D))%20%7C%20project%20_time%2C%20id%2C%20uri%2C%20method%2C%20status%2C%20inRange%22%7D)
+
+**Output**
+
+| _time               | uri          | method | status | inRange
+| -------------------- | ------------ | ------ | ------ | --- |
+| 2025-06-30T01:00:00Z | /api/login   | POST   | 200    | true |
+| 2025-06-30T01:01:00Z | /healthcheck | GET    | 204    | true |
+
+
+## List of related functions
+
+- [ipv4_is_in_any_range](/apl/scalar-functions/ip-functions/ipv4-is-in-any-range): Use this function when working with IPv4 addresses instead of IPv6.
+- [ipv6_compare](/apl/scalar-functions/ip-functions/ipv6-compare): Compares two IPv6 addresses. Use this for sorting or deduplication rather than range matching.
+- [ipv6_is_match](/apl/scalar-functions/ip-functions/ipv6-is-match): Checks whether an IPv6 address matches a specific range. Use this if you need to test against a single CIDR block.