Skip to main content
Sumo Logic

Geo Lookup (Map)

Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map. To create the map the lookup operator matches parsed IP addresses to their physical location based on the latitude and longitude of where the addresses originated. The precision for latitude and longitude degrees is up to five decimal places.

Required fields:

  • latitude
  • longitude
  • _count

Optional fields, depending on how specific you’d like the output to be you can include all the optional fields or choose a subset:

  • continent
  • country_code
  • country_name
  • region
  • city
  • state
  • postal_code
  • connection_type
  • country_cf
  • state_cf
  • city_cf

Details of these data fields can be found in Neustar's documentation under the GeoPoint Data Glossary topic.

Syntax

The Geo Lookup operator uses lookup with a specific path, geo://location, to produce a map. Your query should use the following syntax:

| parse "[ip_fieldname]" as [ip_address]
| lookup latitude, longitude [optional_geo_locator fields]
  from geo://location on ip=[ip_address] 
| count by latitude, longitude, [other geo_locator fields] 
| sort _count

This syntax produces aggregate results, so you can add a map to a Dashboard.

Map Markers

For map markers, the different colors represent three groups based on the percentiles of count: 

  • Red = 66.666 percentile and above
  • Yellow = 33.333-66.666 percentile
  • Green = 0-33.333 percentile

The colors cannot be changed. 

Examples

Sample log message:

2017-12-13 10:29:17,037 -0800 INFO [hostId=prod-frontend-1] [module=SERVICE] [logger=service.endpoint.auth.v1.impl.AuthenticationServiceDelegate [thread=btpool0-8] [remote_ip=67.180.85.25] Successful login for user 'da@users.com', organization: '0000000000000005

Using logs that match the example log format, running a query like this:

| parse "remote_ip=*]" as remote_ip
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = remote_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code
| sort _count

would produce the following results:

geo lookup world map.png

View map of Geo Lookup results

Enter a query that parses the IP field from your logs, a lookup operator to match IP addresses to a lookup table, and then the geolocation fields you’d like to use to chart each IP address.

  1. By default, results display as a table:
    geo lookup results fields.png
  2. Click the Map icon in the Aggregates tab. The map displays:
    map icon location.png
  3. Do any of the following:
  • Use the zoom slider to zoom in or out on an area of the map. Alternately, click and drag to zoom in or see different areas of a map.
  • Click any marker on the map to see more detail about where IPs originate in a specific area:
    click map marker with zoomed results.png
  1. (Optional) Click Add to Dashboard to create a new Dashboard or add the map to an existing Dashboard. After adding a map to a Dashboard you'll still be able to zoom in and drill down on the data.

Handle null values

To find a mismatch from a geo lookup operator query, use the isNull operator.

For example, running a query like:

| parse "remote_ip=*]" as remote_ip
| lookup country_code from geo://location on ip = remote_ip
| if (isNull(country_code), "unknown", country_code) as country_code

returns results similar to:

isNull.png