CIDR IP addresses in AQL queries

You can insert CIDR IP addresses (IPv4 or IPv6) in your AQL statements to query by IP address range, source IP, destination IP, or you can exclude specific CIDR IP addresses.

Examples of CIDR IP addresses in AQL queries

Query by source CIDR IP address, or by destination CIDR IP address.

SELECT * FROM flows 
WHERE INCIDR('10.100.100.0/24',sourceip)

SELECT * FROM flows 
WHERE INCIDR('10.100.100.0/24',destinationip)

SELECT * FROM flows 
WHERE INCIDR('ff02:0:0:0:0:1:ff2f:29d6',destinationv6)

Query for flows that have a source or destination CIDR IP address of 10.100.100.0/24

SELECT * FROM flows 
WHERE INCIDR('10.100.100.0/24',sourceip) 
OR INCIDR('10.100.100.0/24',destinationip)

Query for events where 192.168.222.0/24 is not the source CIDR IP address.

SELECT *
FROM events 
WHERE NOT INCIDR('192.168.222.0/24',sourceip)

Query for flows where 192.168.222.0/24 is not the destination CIDR IP address.

SELECT * 
FROM flows 
WHERE NOT INCIDR('192.168.222.0/24',destinationip)