I installed the official Elastic integration to collect 365 logs. Using the dashboard that provides the integration, I see nothing in the map section (see image). Has anyone encountered this issue? Or does anyone know how to fix it?
Hello @Alberto_Russo
Could you please check the data in logs-* if it is valid & has a geo field along with the time duration selected for the dashboard ?
Similar issue in below post :
Thanks!!
Thanks @Alberto_Russo for sharing the document, looking at the details it look a valid geo location.
Still could you please check the field mapping :
GET your_index/_mapping
If the location is :
"location": {
"type": "geo_point"
}
Also check the logs-* dataview which you are selecting has the updated 365 logs as part of the dataview
Thanks!!
Aftet GET request ’GET logs-o365.audit*/_mapping’ this is my output in relation of location
"source": {
"properties": {
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"geo": {
"properties": {
"city_name": {
"type": "keyword",
"ignore_above": 1024
},
"continent_name": {
"type": "keyword",
"ignore_above": 1024
},
"country_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"country_name": {
"type": "keyword",
"ignore_above": 1024
},
"location": {
"properties": {
"lat": {
"type": "float"
},
"lon": {
"type": "float"
}
}
},
"region_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"region_name": {
"type": "keyword",
"ignore_above": 1024
}
}
Hello @Alberto_Russo
Thanks for sharing the output and as it is a object mapping & not geopoint that might be the reason for a blank map :
"location": {
"properties": {
"lat": {
"type": "float"
},
"lon": {
"type": "float"
}
}
}
As we select the dataview while creating a map it list the valid fields which can be selected for you this might be empty :
Thanks!!
So I need to change the type? From Object to Geopoint? How I can do it?
are these mappings from the official o365 integration?
What version are you on (elasticsearch and the integration please)
Hello @RainTown,
This is my current version of Integration
and this is my ELK version:
{
"name": "securityonion",
"cluster_name": "securityonion",
"cluster_uuid": "WrQ4IVzfSvWajD63YjDhAg",
"version": {
"number": "8.18.6",
"build_flavor": "default",
"build_type": "docker",
"build_hash": "970b6c3ae853753ae66a12c1208c85a3c9728d92",
"build_date": "2025-08-25T22:05:47.180118464Z",
"build_snapshot": false,
"lucene_version": "9.12.1",
"minimum_wire_compatibility_version": "7.17.0",
"minimum_index_compatibility_version": "7.0.0"
},
"tagline": "You Know, for Search"
}
Thanks. I note and 2.31.0 is the latest version, supposed to be compatible with your ES version, so you might wish to upgrade (under Settings)
But what I don’t understand is that the fields you shared, which were a subset of the mapping, don’t match the documentation or the example doc. Can you share the complete mapping?
Was this ever working, i.e. with previous versions of either ES or the integration, or is this something you are using for first time?
This is my first time using it, as with ELK Stack. I'll send you the full output of the command?
GET logs-o365.audit*/_mapping
Hello @Alberto_Russo
As per the screenshot shared the integration will have default Assets which you can check and see if it is useful because as per the screenshot i see a map as well :
Thanks!!