Bring new insights to your IP analytics with a global administrative layer in Elastic Maps
We love maps at Elastic. In the Elastic Stack, there is one core component of all data we visualize using maps: Location. Location can mean reporting real-time positions of fleet vehicles, using a geofence for limiting search results, gauging application performance metrics from a geographic area, or identifying security threats by attaching geographic coordinates to IP addresses.
We recently added an administrative regions boundaries layer to Elastic Maps for fine-tuning your geospatial analytics. This layer includes boundaries for nearly 5,000 administrative subdivisions for hundreds of countries across the globe. Each boundary has a ISO 3166-2 region code that can be joined to geo.region_iso_code
fields in your indices using the Elastic Common Schema. The administration regions layer is available immediately in all versions of Kibana supporting Elastic Maps.
Detailed geography for log analytics
We can use the administrative regions layer to observe where our website visitors are located. If you do not already have an Elasticsearch cluster, sign up for a free 14-day trial of Elastic Cloud. The example below uses Kibana 7.9.0, but you should be able to use any 7.x release.
First, we need some data to work with. I used the instructions in Kibana to add logs from NGINX for this demo, but you could also add other logs that contain IP addresses such as Apache or Traefik.
Once your log data is in Elasticsearch, open Elastic Maps in Kibana and add an Elastic Maps Service (EMS boundaries) layer using administrative regions
as the source layer. In the layer properties add a term join using region ISO code
as the left field. Use filebeat-*
and source.geo.region_iso_code
as the right source and right field, respectively. Under Layer Style, set the fill color to By value
and Count of filebeat-*
as seen in the screenshot below.
This workflow is simplified in Kibana 7.9 by adding a choropleth layer instead of EMS boundaries.
Keep going!
We can analyze more than just web logs with the Elastic Stack! You can also use our Elastic Maps Service layers with other data such as APM, infrastructure monitoring, SIEM, and endpoint security.
About the data
The administrative regions layer contains second level subdivisions (first level where no second level subdivision exists) of world countries. This layer was derived from the Admin 1 - States, Provinces layer from Natural Earth with supplemental boundaries from OpenStreetMap where Natural Earth data is known to be incomplete or erroneous.
This dataset is best viewed at a scale of 1:10 million or smaller (zoom levels 0-6 in Elastic Maps). Maps of world countries and administrative regions are known to have biases and opinions. Users of Elastic Maps Service layers are recommended to inspect the data to ensure it conforms with local laws and customs. Use of this product and Elastic Maps Service APIs are subject to the Elastic Maps Service Terms of Service.