All Apps and Add-ons

Why is Microsoft 365 App Teams Activity Report not showing data?


I was wondering why the Microsoft 365 App Teams Activity Report dashboard did not show any data in the dropdown on the page so I took it apart and looked at the query:  

`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail | stats latest(_time) AS _time by "Report Refresh Date" | rename "Report Refresh Date" AS ReportRefreshDate | sort - _time

So I ran this in a search in the app's context and got nothing.  I pared the search down to just:

`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail

and looked at the fields.  The field the search is looking for, Report Refresh Date, is in the field list in Smart Mode and in the syntax highlighted record.  So I tried just returning a table with that field and got nothing but the field name, no data.

I took the first result with the simple query:

`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail

and clicked Show as raw text.  The field I am looking for is the very first field but is prefaced with \ufeff, making it "\ufeffReport Refresh Date".  This is why searching the field name is not working.

I drilled into one of the Report Refresh Date contents and in the resulting search it show the field name with a character at the front of it - ".Report Refresh Date" with the period highlighted in pink.  That search returned correct results.  I tried copying that and pasting it into another search and THAT one worked.

Has anyone else seen this in this report and is there a fix for it?  I am currently going through the query and replacing the field name with the one copied from the query that works to a point but this is a band-aid.  And unfortunately when I try to fix the dashboard it gets hung up on the Field for value input (won't let me copy that special character in there). 

I am no Splunk expert.  Is there any way to filter this what looks to be a UTF-8 character from this field name in a search?  The issue is coming from Microsoft in the ingested logs.


Labels (2)
0 Karma


I did finally get this working and I added a date picker to the page.  However it is still a band-aid.  I am wondering if anyone else has encountered data like this with a special character in the field name and curious as to what you did with it?

0 Karma


Back to the same issue.  Once the dash is saved and you come back to it, the embedded character is stripped from the search so that dashboards will not work with that embedded special character in them any more.

0 Karma



I've just ran into this issue today and decided to extract it from _raw using regex or create automatic extractions

| rex field=_raw "Report\sRefresh\sDate\":\s\"(?<ReportRefreshDate>[\d+-]*)\""

Hope that helps

Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...