Map Charts
Map charts show the location and number of hits from data on a map.
To map your data you can:
- Use the geoip or Geo Lookup operators to provide these values from extracted IPv4 and IPv6 addresses.
- Manually provide valid aggregated latitude and longitude values. Ensure the field names are 'latitude' and 'longitude' so that map chart can recognize them. Format the values with positive or negative values based on being north/south or east/west, instead of using the terms N/S, E/W, such as,
30.42and-87.21.
For example, you'd use the geoip operator to create a map chart:
| parse "remote_ip=*]" as client_ip
| geoip client_ip
| count by latitude, longitude
| sort _count
Or, you'd use the geo lookup operator to create a map chart:
_sourceCategory=Error
| parse regex "(\<client_i\>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = client_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code
| sort _count
which would produce results such as:
Rules
- Latitude and longitude values need to be provided with the fields 'latitude' and 'longitude' respectively.
- Latitude and longitude values need to be positive or negative based on being north/south or east/west, instead of using the terms N/S, E/W, such as,
30.42and-87.21. - A
_countaggregator is required. - Other aggregators like
sumoravgdon't provide accurate results.
Limitations
- Map charts have a display limit of 10,000 results.
- Colors of map markers can't be changed.
Create a map chart
To add a panel with a map chart:
Create or open a Dashboard (New) and click on Add Panel > Map.
Provide a Geo Lookup query and press Enter for it to run.
A map chart is available in two types, Cluster or Heatmap.
Modify the chart as desired.
Click the Add to Dashboard button on the top right of the window to add the panel to your dashboard.
