I was wondering why the Microsoft 365 App Teams Activity Report dashboard did not show any data in the dropdown on the page so I took it apart and looked at the query:  

`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail | stats latest(_time) AS _time by "Report Refresh Date" | rename "Report Refresh Date" AS ReportRefreshDate | sort - _time

So I ran this in a search in the app's context and got nothing.  I pared the search down to just:

`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail

and looked at the fields.  The field the search is looking for, Report Refresh Date, is in the field list in Smart Mode and in the syntax highlighted record.  So I tried just returning a table with that field and got nothing but the field name, no data.

I took the first result with the simple query:

`m365_default_index` sourcetype="o365:graph:api" source=TeamsUserActivityUserDetail

and clicked Show as raw text.  The field I am looking for is the very first field but is prefaced with \ufeff, making it "\ufeffReport Refresh Date".  This is why searching the field name is not working.

I drilled into one of the Report Refresh Date contents and in the resulting search it show the field name with a character at the front of it - ".Report Refresh Date" with the period highlighted in pink.  That search returned correct results.  I tried copying that and pasting it into another search and THAT one worked.

Has anyone else seen this in this report and is there a fix for it?  I am currently going through the query and replacing the field name with the one copied from the query that works to a point but this is a band-aid.  And unfortunately when I try to fix the dashboard it gets hung up on the Field for value input (won't let me copy that special character in there). 

I am no Splunk expert.  Is there any way to filter this what looks to be a UTF-8 character from this field name in a search?  The issue is coming from Microsoft in the ingested logs.

Thoughts?