I'm trying to set up a search to return Office 365 role change events for specific roles, such as the Global Administrator (aka Company Administrator).  The event data seems to be structured like this (simplified for clarity):     { Id: <someGuid> ModifiedProperties: [ { Name: Role.ObjectID NewValue: OldValue: <someGuid> }, { Name: Role.DisplayName NewValue: OldValue: Company Administrator }, { Name: Role.TemplateId NewValue: OldValue: <someGuid> }, { Name: Role.WellKnownObjectName NewValue: OldValue: TenantAdmins } ] ObjectId: <UPN of object modified> Operation: <what was done> UserId: <UPN of user that made change }     I want to extract the value OldValue of ModifiedProperties object where Name = Role.DisplayName into a field.  I've had a look, and had thought either spath or eval would help, but I couldn't see any extra fields being created when I used either, much less being able to then extract data from it. Am I on the right track? Or looking at it all wrong?  My base search is this:     sourcetype="o365:management:activity" AND RecordType=8 AND (ModifiedProperties{}.NewValue="TenantAdmins" OR ModifiedProperties{}.OldValue="TenantAdmins")     I then tried to push it through eval like this:     | eval 'ModifiedProperties{}.Name'='ModifiedProperties{}.OldValue'     I thought I understood that should have added 4 extra fields (to match the four ModifiedProperties objects) to the returned event, but the events didn't change. Can anyone lend a hand? ... View more