Query Details
Parse Ipv4 Malfunction
Query
// issue when QueriedIPAddress has this format 010.001.010.001
DnsEvents
| extend QueriedIPAddress = extract(strcat(@"((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$"), 1, Name)
| where not(isempty(QueriedIPAddress) or QueriedIPAddress == "127.0.0.1")
| distinct Name, QueriedIPAddress
| project
Name,
QueriedIPAddress,
Col1 = parse_ipv4(QueriedIPAddress),
Col2 = isnotempty(parse_ipv4(QueriedIPAddress)),
Col3 = isempty(parse_ipv4(QueriedIPAddress)),
Auxiliar = gettype(parse_ipv4(QueriedIPAddress))
| where isempty(parse_ipv4(QueriedIPAddress))
Explanation
This query is trying to identify and fix issues with IP addresses that are in the format 010.001.010.001. It extracts the IP address from the Name field, filters out any empty or localhost IP addresses, and then checks if the extracted IP address is valid. If the IP address is not valid, it is displayed along with additional information about its validity.
Details
Jose Sebastián Canós
Released: April 3, 2024
Tables
DnsEvents
Keywords
DnsEvents,QueriedIPAddress,Name,Col1,Col2,Col3,Auxiliar,parse_ipv4,isnotempty,isempty,gettype
Operators
extendextractwherenotisemptyordistinctprojectparse_ipv4isnotemptyAuxiliargettype.