Skip to main content
Sumo Logic

Map Charts

Map charts show the location and number of hits from data on a map.

To map your search results provide valid aggregated latitude and longitude values or use the Geo Lookup operator to provide these values from extracted IPv4 and IPv6 addesses. If you are providing parsed values make sure the field names are 'latitude' and 'longitude' so that map chart can recognize the fields. Format the values with positive or negative values based on being north/south or east/west, instead of using the terms N/S, E/W. 

Here's an example of the values you can parse out your log file using map:

* | "30.42" as latitude | "-87.21" as longitude | count by latitude, longitude"

For example, you could use the following query to create a Map chart:

_sourceCategory=Error
| parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = client_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code
| sort _count

which would produce results such as:

geo lookup results fields.png

Rules

  • Latitude and longitude values need to be provided with the fields 'latitude' and 'longitude' respectively.
  • A _count aggregator is required. 
  • Other aggregators like sum or avg do not provide accurate results. 

Limitations

  • Map charts have a display limit of 10,000 results.
  • Colors of map markers cannot be changed. The different colors represent orders of 10:
    Blue: 1-9
    Yellow: 10 - 99
    Red: 100 - 999
    Pink: 1000 - 9999
    Purple: 10000 >

Create a Map Chart

  1. Run a Geo Lookup query.
  2. In the Aggregates tab, choose the Map Chart icon to display the search results.
    Charts - map

The data in the Aggregates tab is represented as a map chart.

Map.png

For more information on geolocation operators, see the Geo Lookup operator.