See Also
If you have IPv6 address fields configured in your Logger, you can filter on IPv6 addresses in Logger address fields as you would for IPv4 addresses.
Canonical Format for IPv6 addresses
When using a query search operator to search for full or partial IPv6 addresses, the address must be in canonical (normalized) format. Do not use IPv4-mapped IPv6 addresses.
Address fields that are indexed by default require canonical format for IPv6 addresses. They include:
destinationAddress
deviceAddress
sourceAddress
Address fields that are not indexed are not limited to canonical IPv6 addresses. They include:
agentAddress
However, queries on the agentAddress field will be slower, due to on-the-fly, just-in-time indexing of that field. If you issue many queries on the agentAddress field, consider indexing that field on Logger. If you need additional fields normalized, contact Customer Support. If you need to index additional fields, see Search Indexes.
Tip: In searches containing a search operator, IPv6 addresses in the results are displayed in canonical format. To view the original IPv6 address, expand the 'raw message' tab in the search results.
Searching for Partial IPv6 Addresses
You can search for a partial IP address if the partial address you enter is already in the canonical format. All IPv6 address you enter in queries are converted to the canonical format, so that they will match the IPv6 address as stored in the database. If your query includes a partial address that is not in the correct format, it will not match the IPv6 address as stored in the database, and so will not return any results.
Field-based and Keyword Searches
If you run a keyword or field-based search for one of these address fields, it will find ALL matching events for equivalent IPv6 values, regardless of the format of the original IPv6 addresses.
IPv4-mapped IPv6 addresses are matched with IPv4 addresses, and vice-versa. For example, src=::ffff:10.10.11.12 will match events in which src=10.10.11.12.
Note: This functionality is not available for the INSUBNET operator or for the lookup function. See Using the INSUBNET Operator to Search for IPv6 Addresses.
Aggregation Operators with IPv6
Aggregation operators behave the same for both field-based or keyword searches. The results will be combined for equivalent IPv6 addresses into one line displaying the IPv6 address in canonical format. You can search for IPv6 addresses by entering them in any valid format. Note that this pertains only to the results display. Logger does not change any of the actual events and values.
Example: IPv6 address searches
sourceAddress IS NULL
destinationAddress = 2001:db8:85a3:0042:1000:8a2e:0370:7334
deviceAddress IS NOT NULL