Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Getting started with Microsoft Teams call record data


Microsoft Teams is a hub for team collaboration in Microsoft 365 that integrates people, content, and tools. Microsoft provides valuable data to ensure your Teams users are having a good experience, and one of the most important pieces of data is a call record. Call records provide usage and diagnostic information about the calls and online meetings within your organization when using Microsoft Teams. This includes call quality data, networking data, audio and video jitter, device data, and more.

How Microsoft makes teams call record data available

There are three main components to getting Microsoft Teams call records:

  1. A change notification subscription. Listens for changes to Microsoft Teams calls (for example, the call ended or was updated) and sends a notification about the changes to a listening webhook. Only a notification is sent to the webhook, instead of the full details of the call.
  2. A specialized webhook. Receives the change notification from the change notification subscription. The webhook must be a publicly accessible, HTTPS-secured endpoint that is addressable via a URL. Additionally, the webhook must implement authentication, retry logic, and specific validation.
  3. A REST client. Retrieves the full Microsoft Teams call record data. The REST client utilizes the change notification data received by the specialized webhook to retrieve the full call record data.

How to get Microsoft Teams call record data into the Splunk platform

There are two main methods to get Microsoft Teams Call Record data into the Splunk platform. These methods are described below, along with the pros and cons of each method and links to detailed implementation guides.

1. Use the Microsoft Teams Add-on for Splunk

The Microsoft Teams Add-on for Splunk is a traditional Splunk Technical Add-on (TA) and is installed on a Splunk instance. The add-on implements the specialized webhook mentioned above, provides a method for creating a change notification subscription, and implements the REST client to retrieve the full call record data.


  • Implements all the necessary pieces to subscribe to and receive Microsoft Teams call record data.
  • Runs on a Splunk instance and is self-contained.
  • Includes additional reporting inputs for aggregated usage statistics.


  • Requires external access to the Splunk instance running the add-on. The use of a reverse proxy or load balancer can be used in front of the Splunk instance.
  • Does not work on Splunk Cloud Platform due to the specialized webhook requirements.
  • The URL of the webhook must be HTTPS with no private certificates in the certificate chain.

For a detailed walkthrough, refer to the article Getting started with the Microsoft Teams Add-on for Splunk.

2. Use Azure Functions

Azure Functions is an event-driven, serverless compute platform that can be used for building core business logic and orchestration. An implementation of Azure Functions to address Microsoft Teams call record data is available as an open-source project on GitHub.  With Azure Functions, all the necessary code to retrieve call record data is implemented in the Azure subscription, and full call records are pushed to a listening Splunk HTTP Event Collector (HEC) endpoint.


  • Implements all the necessary pieces to subscribe to and receive Microsoft Teams call record data.
  • Works with Splunk Cloud Platform since the webhook logic is implemented in Azure and then pushed to an HTTP Event Collector (HEC) endpoint.
  • Doesn't need an add-on in the Splunk platform for Microsoft Teams call record data collection.


  • All components run in Azure and may require additional implementation considerations in the Azure tenant.
  • If an event is not delivered to an HTTP Event Collector endpoint, the event is written to an Azure storage blob container. Therefore, it is recommended to set up the Splunk Add-on for Microsoft Cloud Services blob input to monitor the Azure Function storage account for “dead letter” events. 

For a detailed walkthrough, refer to Getting started with Microsoft Teams and Azure Functions.

Using Microsoft Teams call record data in the Splunk platform

Whether you use the Microsoft Teams Add-on for Splunk or Azure Functions, the Microsoft Teams call record data is the same. The body of the call record is quite large and contains several data points including the meeting URL, modalities such as audio, video, and screen sharing used during the call, the call participants and their details, devices used by participants, media statistics such as audio degradation, audio jitter, video frame rates, video packet loss, packet utilization, freeze duration, and more.

To help make sense of all this data, the Microsoft 365 App for Splunk has several out-of-the-box dashboards to visualize common use case scenarios for Microsoft Teams call record data. There is an overview dashboard that gives a high level view of the calls, modalities, and locations. 

The Quality of Service dashboard gives an overview of end user experience via metrics such as audio quality, video quality, jitter, bandwidth, packet utilization and more. You can drill down to a specific call to get all the minute details, or you can drill down to the raw data.