Mapping Geospatial Time Events

Elastic Stack Kibana
1

I have an index wherein one of the pieces of data is the date a last even occurred as well as location. Using geospatial I want to map the events occurring based on the dates assigned to each document. I want to use the Kibana time select to update what’s in view accordingly. So my map would effectively work as heat map, showing event locations for the past 24 hours, a week, month, whether the Kibana master date selection is.

I have no issues getting the geolocation data and can see all my points for all events. I can’t seem to get it to filter based on the times or the quick select.

I currently have the date formatted as a date and yyyy-MM-dd

So far all I’ve found is how to filter by the event as a wildcard to show any of the events but not a way to link it to the time picker.

2

2 thinks to check

  1. Verify field containing date information is indexed as date field
  2. Verify data view time field is set. Kibana time filter uses data view time field to filter data by time

To view both, got to "Stack management" -> "Data views" and open your data view.

Screenshot 2023-10-28 at 9.26.30 AM
Screenshot 2023-10-28 at 9.26.30 AM4096×1958 449 KB

1 Like
3

You are a hero, at least for me. This was it, thank you!

4

Question, in your screenshot you have 4x fields for time. Your time field for the index is, however, the one you have highlighted. I have the time field working, however, now anything that falls out of the time field no longer shows in visualizations. I'm wondering how I should approach this, so let me explain what I am doing.

I have a database of threat actors. The only (currently) date field is a field for "Last Seen" which indicates when that threat actor was last known to have been conducting operations. I have a dashboard with many metrics that captures a host of data on over 1,000 threat actors. One of the items on the dashboard is a heat map for "Last Seen." However, not all threat actors have a "last seen" date. Some are historic or do not have an accurate record to go off of (yet).

What this means is that my dashboard, even if I set it to show 100 years of data, only displays the ones that have a "Last Seen" entry.

My question is, aside from a second index that is used specifically for the heat map, is there a way to have my entire dashboard show all results (including those missing the timefield) while keeping the heat map going with the time field?

The only solution I can think of is to put in a "place holder" date for "Last Seen" that will fill the blanks and allow them all to populate.

I considered adding a time field for "Date Added" to represent a date added to the database, thus giving all entries a date and allowing them to populate, but as I understand it, this would mean I would have to change the Index's Time Field to that parameter and now the heat map would fail to function as intended.

5

I think the second option with a new date field that works for the whole dataset is the best option.

If you add an alias to your index, then you can create a new Data View that works with the Last Seen field and use that in your Dashboard.

Something worth noting, in case you missed it and it is useful for your use case, is that a layer in Maps can:

  • fully ignore both the time range and the search bar
  • set up its own filter

image

6

I never considered an Alias, I will need to play around with this option!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.