Map Visualization

You can use the Map visualization in Oracle Logging Analytics to view log records grouped by the location from where the logs are collected.

Additional Topics:

Before you can use Map to view log records based on location fields, if you are not using an Oracle-defined source, then you must set the Field Enrichment options to populate the city, region, country, continent or location coordinates fields in the Log Source from the Oracle Logging Analytics Administration page. See Configure Field Enrichment Options.

Search for logs for a set of entities. See Search Logs by Entities.
In the Log Explorer, from the Visualize panel, select Map ().
This displays a world map where log records can be grouped by Client Coordinates, Client Host Continent, Client Host Country, Client Host City, and Client Host Region.
The following example shows the map where the log records are collected from 1,195 locations:

Under the visualization, a warning icon along with the tip indicates that more data is available than what is displayed. You might want to filter the available data by using one of the fields in the Referenced section. For example, in the above displayed data, if you apply a filter to show the logs only from the continent Asia, then the query is updated to reflect the selection. To do this, click the Actions icon next to the Client Host Continent field in the Referenced section, click Filter, enable the check box for Asia in the Filter Client Host Continent dialog box, and click Apply.
To customize the visualization for your use case, click the Map Options icon :
- Show color map: By default, the color map is enabled. You can choose to view the greyscale map.
- Show legend: The displays the summary of the log record sizes and the number of the groups.
- Point color: Select the color of the point that represents the location from where the log records are collected.
- Combine nearby points: If the number of locations are many and you want to reduce the number of points, then you can combine nearby points to simplify your view.
- Combined points color: Select the color of the point that represents the combined points.
- Filter on zoom: If you enable this option, then a new query is run that focuses on the area selected with rectangular zoom.
- Enable mousewheel: Use the mousewheel inside the visualization area to zoom in or zoom out of the map.
To focus your analysis on a specific region of the map, click the Rectangular Zoom icon and select the area of interest. Then the map automatically adjusts to focus on the region. If you have enabled the option Filter on zoom in the map options, then a new query is run that filters the log records in the selected area.

Specify Geo-location Using `geostats` Command

The Map visualization uses the geo-location coordinates to display aggregate results on a map. These coordinates are enriched during the log ingestion, based on an IP address field. However, not all the IP addresses may have valid coordinate field. You can now supply your own coordinates when the default enrichment is incorrect or is missing the information.

Use the include=custom option to the geostats command to specify the fields that contain the geo-location information. You must supply the Coordinates. You can also optionally specify the City, Country and Continent. You must then use the Coordinates field in the by clause.

Following is an example that uses an eval statement to supply these values:

'Log Source' = 'OCI VCN Flow Unified Schema Logs'
| eval 'Source Coordinates' = if('Source IP' in ('10.0.3.188', '10.0.0.7'), '42.5,-83.23', 
                                 'Source IP' = '129.146.13.236', '32.72,-96.68', 
                                 null)
| eval 'Source City' = if('Source Coordinates' = '42.5,-83.23',  southfield,
                          'Source Coordinates' = '32.72,-96.68', dallas,
                          null)
| geostats include = custom city = 'Source City' coordinates = 'Source Coordinates' 
       count by 'Source IP', 'Source Coordinates'

use eval statement to supply geo-location values

Specify Geo-location Using a Lookup

Instead of using an eval, you can use a simple or dictionary lookup to supply the geo-location values. Following is an example dictionary lookup:

Operator,Condition,Coordinates,City
CIDRMATCH,10.0.3.1/24,"42.5,-83.23",Southfield
CIDRMATCH,129.146.13.1/24,"32.72,-96.68",Dallas

You can then use the lookup in the query:

'Log Source' = 'OCI VCN Flow Unified Schema Logs'
| lookup table = 'Custom Coordinates' select Coordinates as 'Source Coordinates', City as 'Source City' using 'Source IP'
| geostats include = custom city = 'Source City' coordinates = 'Source Coordinates' 
      count by 'Source IP', 'Source Coordinates'

See Create a Dictionary Lookup.

Use Custom Colors in the Map

In the map visualization, you can use custom colors to identify different values of a field. The field must be included in the Group by section of the settings. use the highlightgroups command after the geostats command in the query to specify custom colors.

In the following example, the field Action is included in the Group by section. As a result, the geostats command gets updated with the Action field. Next, the query is edited to add the highlightgroups command with the color specification such that for specific values of Action, the corresponding colors are displayed in the map:

Value of Action field	Color displayed
`reject`	red
`accept`, `allow`, `alert`	green
`drop`	blue

Example query after the above changes are made:

'Client Coordinates' != null and Action != null | geostats count by Action | highlightgroups color = red [ * | where Action = reject ] | highlightgroups color = green [ * | where Action in (accept, allow, alert) ] | highlightgroups color = blue [ * | where Action in (drop) ] | sort -Action

Example map visualization upon running the above query:

Oracle Cloud Infrastructure Documentation

Specify Geo-location Using geostats Command

Specify Geo-location Using a Lookup

Use Custom Colors in the Map

Specify Geo-location Using `geostats` Command