Database=" " Database dbquoted All Databases | inputlookup dbInformation | eval dbquoted=replace(Database,"\\\\","\\\\\\") | stats count by Database,dbquoted -1m now true Last 60 minutes
Top Mailboxes by Size eventtype=msexchange-mailbox-usage $database$ | eval percquota=(TotalItemSize/MinQuota)*100.00 | eval cs_username = User | `normalize_user` | stats max(TotalItemSize) as mboxsize,max(percquota) as quotausage by user_subject | sort -mboxsize | eval mboxsize=ceiling(mboxsize/1048576) | rename quotausage as "% Quota Used",mboxsize as "Mailbox Size (MB)",user_subject as "Mailbox Username" client_byusername?autoRun=true&form.username=$row.Mailbox Username$&earliest=$earliest$&latest=$latest$
Top Mailboxes by Deleted Items Size eventtype=msexchange-mailbox-usage $database$ | eval percquota=(TotalItemSize/MinQuota)*100.00 | eval cs_username = User | `normalize_user` | stats max(TotalDeletedItemSize) as delsize by user_subject | search delsize > 0 | sort -delsize | eval delsize=ceiling(delsize/1048576) | rename delsize as "Deleted Item Size (MB)",user_subject as "Mailbox Username" client_byusername?autoRun=true&form.username=$row.Mailbox Username$&earliest=$earliest$&latest=$latest$
Top Mailbox Folder Types by Size eventtype=msexchange-folder-usage | eval Type=if(match(Folder,"^/RSS Feeds/"), "RSSFeeds", Type) | join type=inner [search eventtype=msexchange-mailbox-usage $database$|dedup User,Database|fields User,Database] | eval cs_username = User | `normalize_user` | stats latest(Size) as Size by host,Type,Folder,Database,user_subject | stats sum(Size) as tsize by Type | eval tmb=tsize/1048576 | table Type,tmb | sort -tmb | rename Type as "Folder Type",tmb as "Size (MB)" search/?earliest=$earliest$&latest=$latest$&q=search eventtype=msexchange-folder-usage|eval Type=if(match(Folder,"^/RSS Feeds/"), "RSSFeeds", Type)|search Type="$click.value$"| eval cs_username = User | `normalize_user` |stats latest(Size) as Size by host,Type,Folder,user_subject|stats sum(Size) as tsize by user_subject|rename user_subject as "Username",tsize as "Total Size"
Top Mailboxes with Junk Email eventtype=msexchange-folder-usage (Type="JunkEmail" OR Type="DeletedItems") | join type=inner User [search eventtype=msexchange-mailbox-usage $database$|stats count by User,Database|table User,Database] | eval cs_username = User | `normalize_user` | stats latest(Size) as Size by user_subject,Folder | stats sum(Size) as tsize by user_subject | eval tmb=tsize/1048576 | table user_subject,tmb | sort -tmb | rename tmb as "Junk Mail Size (MB)",user_subject as "Mailbox Username" client_byusername?autoRun=true&form.username=$row.Mailbox Username$&earliest=$earliest$&latest=$latest$
Top Mailboxes by Growth Since Last Week eventtype=msexchange-mailbox-usage $database$ earliest=-1h latest=now | append [search eventtype=msexchange-mailbox-usage $database$ earliest=-169h latest=-168h | rename TotalItemSize as TotalItemSize_prev] | eval cs_username = User | `normalize_user` | stats max(TotalItemSize) as mboxsize, max(TotalItemSize_prev) as mboxsize_prev by user_subject | eval mboxsize_growth=mboxsize-mboxsize_prev | eval mboxsize_growth_perc=round(mboxsize_growth/mboxsize_prev*100) | sort -mboxsize_growth | eval mboxsize=ceiling(mboxsize/1048576) | eval mboxsize_prev=ceiling(mboxsize_prev/1048576) | eval mboxsize_growth=ceiling(mboxsize_growth/1048576) | fields user_subject, mboxsize_prev, mboxsize, mboxsize_growth, mboxsize_growth_perc | rename user_subject as "Mailbox Username", mboxsize as "Size Today (MB)", mboxsize_prev as "Size 7 Days Ago (MB)", mboxsize_growth as "Size Growth (MB)", mboxsize_growth_perc as "Size Growth (%)" client_byusername?autoRun=true&form.username=$row.Mailbox Username$&earliest=$earliest$&latest=$latest$