Brand new Splunk Enterprise 7.1.0 install, not upgraded, and installed the 1.1.0 version of TA-MS_O365_Reporting on the Search Head cluster via Deployer and also on a Heavy Forwarder via the Deployment Server. Configured the app via the web GUI on the HF following the documentation on the Splunkbase page. Created an o365 index and set that as the index in the app. I'm seeing "05-30-2018 11:01:00.558 -0500 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-vendor_product' in stanza [ms:o365:reporting:messagetrace]: The expression is malformed. Expected OR." being logged constantly on the SHs and HF in splunkd.log and getting no messagetrace events in index=o365. Any suggestions? ... View more