[default] [SharePoint_ObjectSite] definition = rex field=ObjectId "\/sites\/(?[^\/]+)"\ [m365_default_index] iseval = 0 definition = index=* [m365_teams_caller] iseval = 0 definition = spath "sessions{}" output="sessions"\ | spath "sessions{}.segments{}" output="segments"\ | eval call_startDateTime = startDateTime, call_endDateTime = endDateTime\ | eval number_of_sessions = mvcount(sessions), number_of_segments = mvcount(segments), call_id = id \ | fields _time call_startDateTime call_endDateTime call_id sessions number_of_sessions number_of_segments\ | mvexpand sessions\ | spath input=sessions path=id output=session_id\ | spath input=sessions path=segments{} output=segments\ | spath input=segments path=id output=segment_id\ | fields _time call_startDateTime call_endDateTime call_id session_id segment_id segments number_of_sessions number_of_segments\ | eval zip = mvzip(mvzip(session_id,segment_id,"########"),segments,"########")\ | fields _time call_startDateTime call_endDateTime call_id zip number_of_sessions number_of_segments\ | mvexpand zip\ | eval zip = split(zip,"########"), session_id = mvindex(zip,0), segment_id = mvindex(zip,1), segments = mvindex(zip,-1)\ | fields - zip\ | mvexpand segments\ | spath input=segments path=endDateTime output=segment_endDateTime\ | spath input=segments path=startDateTime output=segment_startDateTime\ | spath input=segments path=caller output=caller\ | spath input=segments path=media{} output=media\ | eval number_of_media = mvcount(media)\ | fields - segments\ | mvexpand media\ | spath input=media path=label output=media_label\ | spath input=media path="callerDevice" \ | spath input=media path="callerNetwork"\ | spath input=callerDevice\ | spath input=callerNetwork\ | spath input=caller\ | fields - media callerDevice callerNetwork caller\ | foreach * \ [ eval <> = if('<>'="null",null(),'<>')] [m365_teams_indexes] iseval = 0 definition = (index=main) [m365_teams_qos] iseval = 0 definition = eval call_startDateTime = startDateTime, call_endDateTime = endDateTime\ | spath "sessions{}" output="sessions" \ | eval number_of_sessions = mvcount('sessions{}.id'), number_of_segments = mvcount('sessions{}.segments{}.id'), call_id = id \ | fields _time call_startDateTime call_endDateTime call_id sessions number_of_sessions number_of_segments \ | mvexpand sessions \ | spath input=sessions path=id output=session_id \ | spath input=sessions path=segments{} output=segments \ | spath input=segments path=id output=segment_id \ | fields _time call_startDateTime call_endDateTime call_id session_id segment_id segments number_of_sessions number_of_segments \ | eval zip = mvzip(mvzip(session_id,segment_id,"########"),segments,"########") \ | fields _time call_startDateTime call_endDateTime call_id zip number_of_sessions number_of_segments \ | mvexpand zip \ | eval zip = split(zip,"########"), session_id = mvindex(zip,0), segment_id = mvindex(zip,1), segments = mvindex(zip,-1) \ | fields - zip \ | mvexpand segments \ | spath input=segments path=endDateTime output=segment_endDateTime\ | spath input=segments path=startDateTime output=segment_startDateTime\ | spath input=segments path=media{} output=media \ | eval number_of_media = mvcount(media) \ | fields - segments \ | mvexpand media \ | spath input=media path=label output=media_label \ | spath input=media path=streams{} output=streams \ | eval number_of_streams = mvcount(streams) \ | fields - media \ | mvexpand streams \ | spath input=streams \ | fields - streams \ | foreach "*Jitter" averageRoundTripTime maxRoundTripTime \ [ eval <> = tonumber(replace('<>',"PT(.*)S","\1"))] [message_trace_index] iseval = 0 definition = index=* [o365_sourcetypes] iseval = 0 definition = sourcetype="o365:management:activity" [m365_cp_default_index] definition = index=* iseval = 0 [m365-availability-kpi(2)] args = service, status definition = `m365_cp_default_index` sourcetype="o365:service:healthIssue" service="$service$" status="$status$" | eval ServiceFeatureDisplayName=service.": ".feature