elasticsearchmapskibanavisualizationelastic-cloud

Kibana Maps vizualization reporting `Data view does not contain any geospatial fields`

I've got some log events to Elasticsearch (Elastic Cloud). These events go through an ingest pipeline. For some events, I'm using a (conditional) GeoIP processor that adds information about the geographical location based on an IP address. For some other events, I'm using a (conditional) Script processor to manually convert Latitude, Longitude, country name, country code etc. that come through in a log event, to a Geo field as per the ECS (Elastic Common Schema) spec.

When I try to add layer to a Map visualization in Kibana (e.g. Documents layer or Choropleth layer), I'm getting an error of Data view does not contain any geospatial fields. enter image description here

The data view that I'm specifying logs-* includes events that have the geo field e.g.

"geo": {
  "continent_name": "Oceania",
  "region_iso_code": "AU-NSW",
  "city_name": "Sydney",
  "country_iso_code": "AU",
  "country_name": "Australia",
  "region_name": "New South Wales",
  "location": {
    "lon": 151.2006,
    "lat": -33.8715
  }
}

I'm not sure if the geo field or some of the nested fields (whether added to events by the GeoIP processor or manually via the Script processor) were indexed with the wrong type? If I look at the field types for the geo.location.lat or geo.location.lon fields, I get the following:

  "fields": {
    "geo": {
      "object": {
        "type": "object",
        "metadata_field": false,
        "searchable": false,
        "aggregatable": false
      }
    },
    "geo.location": {
      "object": {
        "type": "object",
        "metadata_field": false,
        "searchable": false,
        "aggregatable": false
      }
    },
    "geo.location.lat": {
      "float": {
        "type": "float",
        "metadata_field": false,
        "searchable": true,
        "aggregatable": true
      }
    }
  }

I've tried several things including specifying a different target field (e.g. geox) in my GeoIP processor that would get indexed separately, but this field ends up with the same field types and I still get the Data view does not contain any geospatial fields error when trying to create my map visualization...

How do I get this to work?

Solution

  • Elasticsearch's dynamic mapping is not able to detect geospatial fields. You will need to manually map your latitude and longitude values as a geo_point field.

    If you do not want to reindex your data, you can create a runtime geo_point field that can be used in Maps (as long as you are in a later version, like 8.7).