Calculate Subnet with Custom Prefix Length

Determine network address with specified bits using the subnet() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result
logscale
subnet(ipAddress, bits=23, as=subnet)

Introduction

The subnet() function can be used to calculate the subnet network address for an IP address using a specified prefix length. The function takes an IP address and returns the corresponding subnet address based on the number of network bits specified.

In this example, the subnet() function is used to calculate the /23 subnet address for IP addresses and store the result in a custom field named subnet.

Example incoming data might look like this:

@timestampipAddress
2025-08-06T10:15:30.000Z192.168.10.45
2025-08-06T10:15:31.000Z10.0.15.200
2025-08-06T10:15:32.000Z172.16.100.75
2025-08-06T10:15:33.000Z192.168.20.150
2025-08-06T10:15:34.000Z10.0.30.25

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    subnet(ipAddress, bits=23, as=subnet)

    Calculates the subnet network address for each IP address in the ipAddress field. The bits parameter is set to 23 to specify a /23 network prefix length. The as parameter defines subnet as the output field name. The function returns the network address of the /23 subnet that contains each IP address.

  3. Event Result set.

Summary and Results

The query is used to determine the network addresses for IP addresses using a /23 prefix length, which creates subnets with 512 addresses each.

This query is useful, for example, to group IP addresses by their network segments, analyze traffic patterns at the subnet level, or apply network-based policies.

Sample output from the incoming example data:

@timestamp@timestamp.nanos@timezoneipAddresssubnet
17544753300000Z192.168.10.45192.168.10.0/23
17544753310000Z10.0.15.20010.0.14.0/23
17544753320000Z172.16.100.75172.16.100.0/23
17544753330000Z192.168.20.150192.168.20.0/23
17544753340000Z10.0.30.2510.0.30.0/23

Note that the subnet addresses are stored in CIDR notation in the subnet field.

Each subnet can contain up to 512 host addresses (9 host bits).