Skip to main content
Sumo Logic

Map Charts

Map charts show the location and number of hits from data on a map.

To map your search results provide valid aggregated latitude and longitude values or use the Geo Lookup operator to provide these values from extracted IPv4 and IPv6 addresses. If you are providing parsed values make sure the field names are 'latitude' and 'longitude' so that map chart can recognize the fields. Format the values with positive or negative values based on being north/south or east/west, instead of using the terms N/S, E/W. 

Here's an example of the values you can parse out your log file using map:

* | "30.42" as latitude | "-87.21" as longitude | count by latitude, longitude

For example, you could use the following query to create a Map chart:

_sourceCategory=Error
| parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = client_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code
| sort _count

which would produce results such as:

geo lookup results fields.png

Rules

  • Latitude and longitude values need to be provided with the fields 'latitude' and 'longitude' respectively.
  • Latitude and longitude values need to be positive or negative based on being north/south or east/west, instead of using the terms N/S, E/W.
  • A _count aggregator is required. 
  • Other aggregators like sum or avg do not provide accurate results. 

Map Markers

For map markers, the different colors represent three groups based on the percentiles of count: 

  • Red = 66.666 percentile and above
  • Yellow = 33.333-66.666 percentile
  • Green = 0-33.333 percentile

Limitations

  • Map charts have a display limit of 10,000 results.
  • Colors of map markers cannot be changed.

Create a Map Chart

  1. Run a Geo Lookup query.
  2. In the Aggregates tab, choose the Map Chart icon to display the search results.
    Charts - map

The data in the Aggregates tab is represented as a map chart.

map chart in aggregates tab.png

For more information on geolocation operators, see the Geo Lookup operator.