Skip to main content
Sumo Logic

Geo Lookup (Map)

Sumo Logic can match an extracted IP address to it's geographical location on a map. To create the map, after parsing the IP addresses from log files, the lookup operator matches extracted IP addresses to the physical location where the addresses originated. Finally, geolocation fields are used by the Google Maps API to add the IPs to a map.

The latitude and longitude fields are required; optional fields are country_code, country_name, region, city, postal_code, area_code, and metro_code.

Depending on how specific you’d like the output to be, you can include all the optional fields, or choose a subset.

Map Markers

For map markers, the different colors represent orders of 10: 

  • Blue is <10
  • Yellow is 10-99
  • Red is 100-999
  • Violet is 1000-9999 
  • Purple is >= 10000

The colors cannot be changed. 

Syntax

To produce a map, your query should use the following syntax: 
 

| parse "[ip_fieldname]" as [ip_address]
| lookup latitude, longitude [optional_geo_locator fields]
  from geo://default on ip=[ip_address] 
| count by latitude, longitude, [other geo_locator fields] 
| sort _count

This syntax produces aggregate results, so you can add a map to a Dashboard.

Examples

Sample log message:

2012-12-13 10:29:17,037 -0800 INFO [hostId=prod-frontend-1] [module=SERVICE] [logger=service.endpoint.auth.v1.impl.AuthenticationServiceDelegate [thread=btpool0-8] [remote_ip=67.180.85.25] Successful login for user 'da@users.com', organization: '0000000000000005

Using the example log, running a query like this:

| parse "remote_ip=*]" as remote_ip
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = remote_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count

would produce the following results:

Run a geo lookup query

Enter a query that parses the IP field from your logs, a lookup operator to match IP addresses to a lookup table, and then the geolocation fields you’d like to use to chart each IP address.

  1. Run a geo lookup query. By default, results display as a table:


     
  2. Click the Map icon in the Aggregates tab. The map displays:


     
  3. Do any of the following:
  • Use the zoom slider to zoom in or out on an area of the map. Alternately, click and drag to zoom in or see different areas of a map.
  • Click Satellite or Map to view a satellite or map view.
  • Click any marker on the map to see more detail about where IPs originate in a specific area:


     
  1. (Optional) Click Add to Dashboard to create a new Dashboard or add the map to an existing Dashboard.



    After adding a map to a Dashboard you'll still be able to zoom in and drill down on the data.

Handle null values

To find a mismatch from a geo lookup operator query, use the isNull operator.

For example, running a query like:

| parse "remote_ip=*]" as remote_ip
| lookup country_code from geo://default on ip = remote_ip
| if (isNull(country_code), "unknown", country_code) as country_code

returns results similar to: