Hey Guys,
I have a choropleth map which returns the amount of hits on security data from ip's attacking from different countries
search : index=... | iplocation SRC_IP | stats count by Country | eval count=count | eval Country=if(Country="","unknown",Country) | geom geo_countries featureIdField="Country" | sort + count
The problem is, when searched over a long period of time, the country for the highest has a high count so everything else which has a lot less is put into the lowest bin
e.g. china has 6 million hits so it is in the top bin, whereas everything else has 1m, 500k etc so it is put into the lowest bin.
Is there a way to normalise this so that more colours are shown?
Try to
| eval normalizedCount = ln(count)
or something like that, if you can't log scale the map from settings.
or just cut down the China values until you get more colorful maps, I guess.
Try to
| eval normalizedCount = ln(count)
or something like that, if you can't log scale the map from settings.
or just cut down the China values until you get more colorful maps, I guess.
Thanks! Works perfectly 🙂