Back to blog results

January 25, 2013By Amanda Saso

Mapping machine data (pun intended)

When you’re talking analytics, who said that an unfair advantage has to be ugly? Our newest feature is drop-dead gorgeous:

What you’re seeing is the result of a geo lookup query, which matches extracted IP addresses to their geographical location–another troubleshooting tool from Sumo Logic. (If you’re ready to skip right to the good stuff and start using this feature, see our Knowledge Base article here.)

Geo lookup queries use four Sumo Logic search language components: IP addresses are parsed, then the lookup operator compares the extracted IPs against a hosted IP geolocation table. The count and sort aggregate functions order the data; using these aggregate functions allows you to add a map to a Dashboard. The results are plugged in to the Google Maps API, and in a few seconds you’ve got a map showing the location of IP addresses. The syntax looks like this:

| parse “remote_ip=*]” as ip_address
| lookup latitude, longitude, country_code, country_name, city, postal_code from geo://default on ip = ip_address
| count by latitude, longitude, country_code, country_name, city, postal_code
| sort _count

It’s important to note the flexibility of geolocation fields that you can choose to use in geo lookup queries. Longitude and latitude are required, but the hosted geolocation table includes fields for different levels of granularity, such as country_name, postal_code, and area_code; depending on the area of the world you’re concentrating on, you can pick and choose which fields make sense in your query.

I also like using the familiar Google Maps interface–there’s no learning curve. The zoom slider/control is displayed both in the Search page, and in a Dashboard:

In addition, clicking one of the markers on a map immediately zooms down to street level, meaning that you don’t have to worry about zooming on the wrong area:

To learn more about using geo lookup queries to build maps, see Mapping IP addresses with geo lookup queries in the Sumo Logic Labs beta feature section of our Support Portal. While you’re there, be sure to drop us a line!

Or, get started now using Sumo Logic Free!

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Amanda Saso

More posts by Amanda Saso.