Group IPs in Log Analytics workspaces query

Question

Im looking for the right query langue to group my IPs in my log analytics workspace into two categories, Internal and external but can't figure out how to group the ips in the query language.&nbsp; Any help?&nbsp;

clivewatson · Answer

Can you give us a clue as to the Table they are in, AzureActivity, WireData etc...Are internal 10.10.10.10 for example, compared to 1.1.1.1?  Or are you looking to see which are outbound to inbound?

frostj02 · Answer

CliveWatsonIt is part of&nbsp; Azure Log Analytics in the signinlogs table.&nbsp; I know my internal ips and external ips I just want to group them.&nbsp; my report shows a count of signin's by ip's but I can't group the ips to make it a more relevant chart. &nbsp;

clivewatson · Answer

frostj02&nbsp;
&nbsp;
You could do something like this?
&nbsp;
SigninLogs
| where TimeGenerated &gt; ago(24h)
| extend local = case(parse_ipv4(IPAddress) between ( parse_ipv4("67.0.0.0")  .. parse_ipv4("67.255.255.255")  ),"Local",  
                      parse_ipv4(IPAddress) between ( parse_ipv4("74.0.0.0")  .. parse_ipv4("74.255.255.255")  ),"Local",   
                      parse_ipv4(IPAddress) between ( parse_ipv4("100.0.0.0") .. parse_ipv4("109.255.255.255") ),"Local",
                      //else 
                      "Remote"  )
| summarize count(), make_set(IPAddress) by local
| order by local asc
&nbsp;
You can set a range between IP address - line 1 is 67* to 67*, the same for 74*, the final line is 100-109*
Anything outside of the local ones are 'remote'.&nbsp;
&nbsp;
Or you can swap the names to "Local" and "Remote" and the //else to "Other"
&nbsp;

Forum Discussion

Group IPs in Log Analytics workspaces query

3 Replies

Resources