It appears as though using geonormalize command isn't working for you. You could do an eval on _geo and pipe it to a table to see if you are actually getting anything. ... | eval mygeo = _geo | table mygeo Or try building the _geo field yourself as you see below: Use existing geolocation information available in search results It's common case that events already contain geo information. The geonormalize command The geonormalize command can detect existing fields containing the geoinformation and normalizes them for the GoogleMaps module. For doing this the command searches for field pairs (a latitude field and a longitude field) matching a name scheme. The values of those fields are then merged and emitted as the _geo field. The following name schemes are supported: *lat/*lng *lat/*lon *latitude/*longitude So for example when an event has the fields gps_lat=47.11 and gps_lon=0.815 the geonormalize command will detect those fields and emit the _geo field with the value 47.11,0.815. Example: sourcetype=device_tracking device_id=A47C08B13 | geonormalize Manual building the _geo field If you don't want to use the geonormalize command or if the location fields do not match any naming scheme, you can manually build the _geo field. Example: eventtype=phone_activation | eval _geo=phone_loc_1+","+phone_loc_2 (Assuming that phone_loc_1 contains the latitude and phone_loc_2 contains the longitude) ... View more