Kusto 查询,将 CIDR 范围数组与 IP 进行比较
Kusto query, comparing array of CIDR ranges to an IP
我正尝试在 Kusto 中做一些与此类似的事情 post:
但使用公开可用列表中的 IP 范围与某些日志进行比较。
这是我尝试过的方法,我相信这个问题与我不知道如何引用外部数据的“网络”属性有关。
我收到“无法解析查询”错误。抱歉格式化,我不确定如何让它尊重换行符。
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'];
let testIP = datatable (myip: string) ['4.28.114.50','4.59.176.50']; //Random IPs in Canada
testIP
| mv-apply tmpIP = IP_Data.network to typeof(string) on (
where ipv4_is_in_range(myip, tmpIP
)
| project-away tmpIP
这直接回答了 OP 问题,但是对于这种情况有一个很好的解决方案,基于 ipv4_lookup 插件。
查看新答案
对于两个选项 -
由于 CSV 有 header,所以我将 with (ignoreFirstRecord = true) 添加到 external_data
选项 1
- testIP 被定义为数组(而不是单个列 table)。
- 基础 table 是
IP_Data 但 mv-apply 是在 testIP 数组上完成的。这使您能够访问 IP_Data 和 testIP 中的值
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord = true);
let testIP = dynamic(['4.28.114.50','4.59.176.50']); //Random IPs in Canada
IP_Data
| mv-apply testIP = testIP to typeof(string) on (where ipv4_is_in_range(testIP, network))
network
geoname_id
continent_code
continent_name
country_iso_code
country_name
is_anonymous_proxy
is_satellite_provider
testIP
4.28.114.0/24
6251999
NA
North America
CA
Canada
false
false
4.28.114.50
4.59.176.0/24
6251999
NA
North America
CA
Canada
false
false
4.59.176.50
选项 2
交叉连接两个 table(使用虚拟列)然后过滤结果
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord = true);
let testIP = datatable (myip: string) ['4.28.114.50','4.59.176.50']; //Random IPs in Canada
testIP | extend dummy = 1
| join kind=inner (IP_Data | extend dummy = 1) on dummy
| where ipv4_is_in_range(myip, network)
| project-away dummy*
myip
network
geoname_id
continent_code
continent_name
country_iso_code
country_name
is_anonymous_proxy
is_satellite_provider
4.28.114.50
4.28.114.0/24
6251999
NA
North America
CA
Canada
false
false
4.59.176.50
4.59.176.0/24
6251999
NA
North America
CA
Canada
false
false
新答案
1M IP 演示,基于 ipv4_lookup 插件
let geoip2_ipv4 = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord = true)
| extend continent_name = coalesce(continent_name, '--- Missing ---');
let ips = materialize(range i from 1 to 1000000 step 1 | extend ip = format_ipv4(tolong(rand() * pow(2,32))));
ips
| evaluate ipv4_lookup(geoip2_ipv4, ip, network, return_unmatched = true)
| summarize count() by continent_name
continent_name
count_
North America
399059
Asia
201902
Europe
173566
South America
33795
Oceania
13384
Africa
17569
--- Missing ---
226
160499
我正尝试在 Kusto 中做一些与此类似的事情 post:
这是我尝试过的方法,我相信这个问题与我不知道如何引用外部数据的“网络”属性有关。
我收到“无法解析查询”错误。抱歉格式化,我不确定如何让它尊重换行符。
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'];
let testIP = datatable (myip: string) ['4.28.114.50','4.59.176.50']; //Random IPs in Canada
testIP
| mv-apply tmpIP = IP_Data.network to typeof(string) on (
where ipv4_is_in_range(myip, tmpIP
)
| project-away tmpIP
这直接回答了 OP 问题,但是对于这种情况有一个很好的解决方案,基于 ipv4_lookup 插件。
查看新答案
对于两个选项 -
由于 CSV 有 header,所以我将 with (ignoreFirstRecord = true) 添加到 external_data
选项 1
- testIP 被定义为数组(而不是单个列 table)。
- 基础 table 是
IP_Data但mv-apply是在testIP数组上完成的。这使您能够访问IP_Data和testIP 中的值
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord = true);
let testIP = dynamic(['4.28.114.50','4.59.176.50']); //Random IPs in Canada
IP_Data
| mv-apply testIP = testIP to typeof(string) on (where ipv4_is_in_range(testIP, network))
| network | geoname_id | continent_code | continent_name | country_iso_code | country_name | is_anonymous_proxy | is_satellite_provider | testIP |
|---|---|---|---|---|---|---|---|---|
| 4.28.114.0/24 | 6251999 | NA | North America | CA | Canada | false | false | 4.28.114.50 |
| 4.59.176.0/24 | 6251999 | NA | North America | CA | Canada | false | false | 4.59.176.50 |
选项 2
交叉连接两个 table(使用虚拟列)然后过滤结果
let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord = true);
let testIP = datatable (myip: string) ['4.28.114.50','4.59.176.50']; //Random IPs in Canada
testIP | extend dummy = 1
| join kind=inner (IP_Data | extend dummy = 1) on dummy
| where ipv4_is_in_range(myip, network)
| project-away dummy*
| myip | network | geoname_id | continent_code | continent_name | country_iso_code | country_name | is_anonymous_proxy | is_satellite_provider |
|---|---|---|---|---|---|---|---|---|
| 4.28.114.50 | 4.28.114.0/24 | 6251999 | NA | North America | CA | Canada | false | false |
| 4.59.176.50 | 4.59.176.0/24 | 6251999 | NA | North America | CA | Canada | false | false |
新答案
1M IP 演示,基于 ipv4_lookup 插件
let geoip2_ipv4 = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)
['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv'] with (ignoreFirstRecord = true)
| extend continent_name = coalesce(continent_name, '--- Missing ---');
let ips = materialize(range i from 1 to 1000000 step 1 | extend ip = format_ipv4(tolong(rand() * pow(2,32))));
ips
| evaluate ipv4_lookup(geoip2_ipv4, ip, network, return_unmatched = true)
| summarize count() by continent_name
| continent_name | count_ |
|---|---|
| North America | 399059 |
| Asia | 201902 |
| Europe | 173566 |
| South America | 33795 |
| Oceania | 13384 |
| Africa | 17569 |
| --- Missing --- | 226 |
| 160499 |