News

Bring new insights to your IP analytics with a global administrative layer in Elastic Maps

By
Nick Peihl

We love maps at Elastic. In the Elastic Stack, there is one core component of all data we visualize using maps: Location. Location can mean reporting real-time positions of fleet vehicles, using a geofence for limiting search results, gauging application performance metrics from a geographic area, or identifying security threats by attaching geographic coordinates to IP addresses.

We recently added an administrative regions boundaries layer to Elastic Maps for fine-tuning your geospatial analytics. This layer includes boundaries for nearly 5,000 administrative subdivisions for hundreds of countries across the globe. Each boundary has a ISO 3166-2 region code that can be joined to geo.region_iso_code fields in your indices using the Elastic Common Schema. The administration regions layer is available immediately in all versions of Kibana supporting Elastic Maps.

Detailed geography for log analytics

We can use the administrative regions layer to observe where our website visitors are located. If you do not already have an Elasticsearch cluster, sign up for a free 14-day trial of Elastic Cloud. The example below uses Kibana 7.9.0, but you should be able to use any 7.x release.

First, we need some data to work with. I used the instructions in Kibana to add logs from NGINX for this demo, but you could also add other logs that contain IP addresses such as Apache or Traefik.

Getting started with Nginx logs in Kibana

Once your log data is in Elasticsearch, open Elastic Maps in Kibana and add an Elastic Maps Service (EMS boundaries) layer using administrative regions as the source layer. In the layer properties add a term join using region ISO code as the left field. Use filebeat-* and source.geo.region_iso_code as the right source and right field, respectively. Under Layer Style, set the fill color to By value and Count of filebeat-* as seen in the screenshot below.

Configure the administrative regions layer in Elastic Maps

This workflow is simplified in Kibana 7.9 by adding a choropleth layer instead of EMS boundaries.

Add administrative regions as a choropleth layer in Elastic Maps

Keep going!

We can analyze more than just web logs with the Elastic Stack! You can also use our Elastic Maps Service layers with other data such as APM, infrastructure monitoring, SIEM, and endpoint security.

About the data

The administrative regions layer contains second level subdivisions (first level where no second level subdivision exists) of world countries. This layer was derived from the Admin 1 - States, Provinces layer from Natural Earth with supplemental boundaries from OpenStreetMap where Natural Earth data is known to be incomplete or erroneous.

This dataset is best viewed at a scale of 1:10 million or smaller (zoom levels 0-6 in Elastic Maps). Maps of world countries and administrative regions are known to have biases and opinions. Users of Elastic Maps Service layers are recommended to inspect the data to ensure it conforms with local laws and customs. Use of this product and Elastic Maps Service APIs are subject to the Elastic Maps Service Terms of Service.