LoFP / while latency could simply indicate a slow network connection, when combined with other indicators, it can help build a more complete picture. tune the threshold as needed for your environment baseline.

`zoom_index` 
| spath "payload.object.participant.qos{}.type" 
| search "payload.object.participant.qos{}.type"=video_input 
| rename payload.object.participant.qos{}.details.avg_latency as avg_latency "payload.object.participant.qos{}.details.latency" as latency payload.object.participant.email as email 
| rex field=avg_latency "(?<average_latency>\d+) ms" 
| rex field=latency "(?<overall_latency>\d+) ms" 
| search email="*" 
| table email overall_latency latency avg_latency average_latency _raw 
| stats latest(overall_latency) as overall_latency by email _raw 
| where overall_latency>300 
| `zoom_high_video_latency_filter`