I have O365 logs in Splunk. I want to find all shared files/folders plus display sensitivity labels of these files. All valuable information is in the same source type (sourcetype="o365:management:activity") but in separate log rows. I want to see on my dashboard: CreationTime; ObjectId; Operation; SensitivityLabelId; Location; ProcessName; ProductVersion "CreationTime": "2021-05-06T20:19:44" "ApplicationName": "Microsoft Azure Information Protection Word Add-In" "EventData": "<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>" "Location": "On-premises SharePoint" "EventSource": "SharePoint" "ProcessName": "WINWORD" "ItemType": "File" "ProductVersion": "2.9.116.0"} "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" "CreationTime": "2021-05-06T20:13:57" "Operation": "AnonymousLinkCreated" "DataState": "Use" "RecordType": 14 "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" "SiteUrl": "[MY_PERSONAL_DRIVE]" "Operation": "Access" "SourceFileExtension": "docx" "ProtectionEventData": {"IsProtected": true "SourceFileName": "TEST_SHARE_ANYONE_WITH_THE_LINK.docx" "ProtectionOwner": "test@mail.com" "SourceRelativeUrl": "[PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" "ProtectionType": "Template" "UserId": "test@mail.com" "SensitiveInfoTypeData": [] "Workload": "OneDrive"} "SensitivityLabelEventData": {"SensitivityLabelId": "70fd9a0e-0d31-4c8e-9c48-fa8ba4ec32c0"} "UserId": "test@mail.com" "UserKey": "test@mail.com" "UserType": 0 "Version": 1 "Workload": "Aip"}
... View more