[Lookup - Host Information]
disabled = 1
search = eventtype=msexchange-topology \
    | stats latest(Cluster) as Cluster, \
        latest(Clustered) as Clustered, \
        latest(_time) as time, \
        latest(Site) as Site, \
        latest(HubTransport) as HubTransport, \
        latest(CAS) as CAS, \
        latest(EdgeTransport) as EdgeTransport, \
        latest(Mailbox) as Mailbox, \
        latest(UMServer) as UMServer, \
        latest(ProductVersion) as ProductVersion, \
        latest(WindowsVersion) as WindowsVersion, \
        by host \
    | eval _key = host \
    | eval ms_exchange_host = "true" \
    | outputlookup hostInformation append=true
cron_schedule = 15 */4 * * *
dispatch.earliest_time = -8h
dispatch.latest_time = now
enableSched = true
run_on_startup = true

[CAS Throttling Policies]
disabled = 1
search = eventtype=msexchange-throttling-policies|dedup Name|table Name,IsDefault,WhenCreated,WhenChanged|join type=outer Name [search eventtype=msexchange-mailbox-usage|stats dc(User) as "# Users"  by ThrottlingPolicy|rename ThrottlingPolicy as Name]
dispatch.earliest_time = -25h
dispatch.latest_time = now
is_visible = false

[Static Health Overview - Service Availability]
disabled = 1
search = eventtype=msexchange-topology|stats latest(ServicesNotRunning) as ServicesNotRunning by Name|eval Service=split(ServicesNotRunning,",")|eval ServiceCount=if(ServicesNotRunning!="",mvcount(Service),0)|table Name,Service,ServiceCount|addcoltotals fieldname=Service labelfield=Name label="# Problem Services"|eval Service=if(Name="# Problem Services",ServiceCount,Service)|search Name="# Problem Services" OR ServiceCount>0|table Name,Service|sort - Name
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Static Health Overview - Non-Reporting Servers]
disabled = 1
search = eventtype=msexchange-index OR eventtype=msperfmon-index host=* latest=now | stats latest(_time) as recent by host |lookup hostInformation host OUTPUT Site|where isnotnull(Site)|eval secs=if((now()-recent)>0, now()-recent,0)|eval x=if(secs>1800,1,0)|addcoltotals labelfield=host label="# Problem Servers" fieldname=x|eval timediff=tostring(secs,"duration")|eval timediff=if(host=="# Problem Servers",x,timediff)|table host,timediff,x|search host="# Problem Servers" OR x>0|table host,timediff|rename timediff as "Idle Time"
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Mailbox Database Overview - Active Mailbox Databases]
disabled = 1
search = eventtype=msexchange-database-stats|stats latest(FileSize) as FileSize,latest(MainPercFree) as MainPercFree,latest(LogSize) as LogSize,latest(LogPercFree) as LogPercFree by host,Database|eval DBSize=round(FileSize/1048576, 2)|eval MainPercFree=round(MainPercFree,2)|eval LogSize=round(LogSize/1048576, 2)|eval LogPercFree=round(LogPercFree,2)|stats list(host) as host,list(DBSize) as DBSize,list(MainPercFree) as MainPercFree,list(LogSize) as LogSize,list(LogPercFree) as LogPercFree by Database|sort - DBSize|rename host as "Mailbox Store",DBSize as "Database Size (MB)",MainPercFree as "DB Free Space (%)",LogSize as "Log Size (MB)",LogPercFree as "Log Free Space (%)"|eval _drilldownMod=replace(Database,"\\\\","\\\\\\")
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Mailbox Database Overview - Mailbox Database Backups]
disabled = 1
search = eventtype=msexchange-database-stats|stats latest(LastFullBackup) as LastFullBackup,latest(LastIncrementalBackup) as LastIncrementalBackup,latest(LastDifferentialBackup) as LastDifferentialBackup by Database|rename host as "Mailbox Store",LastFullBackup as "Last Full",LastIncrementalBackup as "Last Incremental", LastDifferentialBackup as "Last Differential"|eval _drilldownMod=replace(Database,"\\\\","\\\\\\")
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Hub Status]
disabled = 1
search = eventtype=msexchange-topology HubTransport="True" ProcsOK="False"|stats count as procs|appendcols [ search eventtype=msexchange-msgtrack|stats count]|eval light=case(procs>0,"redlight",count==0,"yellowlight",count>0,"greenlight")|eval process=procs|table process,light
dispatch.earliest_time = -10m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Mailbox Status]
disabled = 1
search = eventtype=msexchange-topology Mailbox="True" ProcsOK="False"|stats count as procs|appendcols [ search eventtype=storedriver-deliver|stats count]|eval light=case(procs>0,"redlight",count==0,"yellowlight",count>0,"greenlight")|eval process=procs|table process,light
dispatch.earliest_time = -10m
dispatch.latest_time = now
is_visible = false

[Static Health Overview - Outbound Mail Reputation]
disabled = 1
search = eventtype=senderbase-reputation ip=overview|head 1|table rangemap,reputation
dispatch.earliest_time = -240m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Inbound SMTP Gauge]
disabled = 1
search = eventtype=smtp-inbound|eval rate=1|timechart span=1m per_minute(rate) as rate|stats latest(rate) as rate
dispatch.earliest_time = -3m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Inbound SMTP Rate]
disabled = 1
search = eventtype=smtp-inbound|eval rate=1|timechart span=1m per_minute(rate) as rate
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Outbound SMTP Gauge]
disabled = 1
search = eventtype=smtp-outbound|eval rate=1|timechart span=1m per_minute(rate) as rate|stats latest(rate) as rate
dispatch.earliest_time = -3m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Outbound SMTP Rate]
disabled = 1
search = eventtype=smtp-outbound|eval rate=1|timechart span=1m per_minute(rate) as rate
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - User Submission Gauge]
disabled = 1
search = eventtype=storedriver-receive|eval rate=1|timechart span=1m per_minute(rate) as rate|stats latest(rate) as rate
dispatch.earliest_time = -3m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - User Submission Rate]
disabled = 1
search = eventtype=storedriver-receive|eval rate=1|timechart span=1m per_minute(rate) as rate
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Mailbox Delivery Gauge]
disabled = 1
search = eventtype=storedriver-deliver|eval rate=1|timechart span=1m per_minute(rate) as rate|stats latest(rate) as rate
dispatch.earliest_time = -3m
dispatch.latest_time = now
is_visible = false

[Message Tracking Landing - Mailbox Delivery Rate]
disabled = 1
search = eventtype=storedriver-deliver|eval rate=1|timechart span=1m per_minute(rate) as rate
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Static Health Overview - Top Local Recipients]
disabled = 1
search = eventtype=storedriver-deliver|top limit=10 showcount=f showperc=t recipient
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Static Health Overview - Top Local Senders]
disabled = 1
search = eventtype=storedriver-receive|top limit=10 showcount=f showperc=t sender
dispatch.earliest_time = -60m
dispatch.latest_time = now
is_visible = false

[Client Landing - OWA]
disabled = 1
search = eventtype=msexchange-topology CAS="True"|stats latest(ProcsOK) as ProcsOK by host|search ProcsOK="False"|stats count as procs|appendcols [search eventtype=client-owa-usage|stats count]|eval light=case(procs>0,"redlight",count==0,"yellowlight",count>0,"greenlight")|eval process="Outlook Web Access"|table process,light
dispatch.earliest_time = -10m
dispatch.latest_time = now
is_visible = false

[Client Landing - EWS]
disabled = 1
search = eventtype=msexchange-topology CAS="True"|stats latest(ProcsOK) as ProcsOK by host|search ProcsOK="False"|stats count as procs|appendcols [search eventtype=client-ews-usage|stats count]|eval light=case(procs>0,"redlight",count==0,"yellowlight",count>0,"greenlight")|eval process="Exchange Web Services"|table process,light
dispatch.earliest_time = -10m
dispatch.latest_time = now
is_visible = false

[Client Landing - ActiveSync]
disabled = 1
search = eventtype=msexchange-topology CAS="True"|stats latest(ProcsOK) as ProcsOK by host|search ProcsOK="False"|stats count as procs|appendcols [search eventtype=client-activesync-usage|stats count]|eval light=case(procs>0,"redlight",count==0,"yellowlight",count>0,"greenlight")|eval process="ActiveSync"|table process,light
dispatch.earliest_time = -10m
dispatch.latest_time = now
is_visible = false

[Client Landing - Outlook Anywhere]
disabled = 1
search = eventtype=msexchange-topology CAS="True"|stats latest(ProcsOK) as ProcsOK by host|search ProcsOK="False"|stats count as procs|appendcols [search eventtype=client-outlookanywhere-usage|stats count]|eval light=case(procs>0,"redlight",count==0,"yellowlight",count>0,"greenlight")|eval process="Outlook Anywhere"|table process,light
dispatch.earliest_time = -10m
dispatch.latest_time = now
is_visible = false

[Outlook - Top Users by RPC Sessions]
disabled = 1
search = `client-outlook-events`|top showperc=t showcount=t user_subject,browser,browserversion|rename user_subject as "Username", browser as "Client", browserversion as "Client Version"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Outlook - Top Users by IP Address and RPC Sessions]
disabled = 1
search = `client-outlook-events`|top showperc=t showcount=t user_subject,c_ip|rename c_ip as "IP Address", user_subject as "Username"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Outlook - RPC Sessions over Time]
disabled = 1
search = `client-outlook-events`|eval pagecount=1|timechart fixedrange=t bins=120 per_minute(pagecount) as "RPC Sessions/minute"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Outlook Anywhere - RPC Sessions over Time]
disabled = 1
search = `client-outlook-anywhere-events`|eval pagecount=1|timechart fixedrange=t bins=120 per_minute(pagecount) as "RPC Sessions/minute"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Outlook Anywhere - Top Users by RPC Sessions]
disabled = 1
search = `client-outlook-anywhere-events`|top showperc=t showcount=t user_subject|rename user_subject as "Username"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Outlook Anywhere - Top Users by IP Address and RPC Sessions]
disabled = 1
search = `client-outlook-anywhere-events`|top showperc=t showcount=t user_subject,c_ip|rename c_ip as "IP Address", user_subject as "Username"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[OWA - Top Users by Page Impressions]
disabled = 1
search = `client-outlook-webaccess-events`|top user_subject|rename user_subject as "Username"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[OWA - Top Users by IP Address and Page Impressions]
disabled = 1
search = `client-outlook-webaccess-events`|top user_subject,c_ip|rename c_ip as "IP Address", user_subject as "Username"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[OWA - Top Operating Systems]
disabled = 1
search = `client-outlook-webaccess-events`|lookup useragent cs_user_agent|stats count by user_subject,os,osvariant,osversion|top showperc=t showcount=t os,osvariant,osversion|rename os as "OS",osvariant as "Variant",osversion as "Version"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[OWA - Top Browsers]
disabled = 1
search = `client-outlook-webaccess-events`|lookup useragent cs_user_agent|stats count by user_subject,browser,browserversion|top showperc=t showcount=t browser,browserversion|rename browser as "Browser",browserversion as "Version"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[OWA - Page Impressions over Time]
disabled = 1
search = `client-outlook-webaccess-events`|eval pagecount=1|timechart fixedrange=t bins=120 per_minute(pagecount) as "Pages/minute"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[ActiveSync - Top Users by Sync Events]
disabled = 1
search = `client-activesync-events`|top showperc=t showcount=t user_subject|rename user_subject as "Username"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[ActiveSync - Top Users by Device and Sync Events]
disabled = 1
search = `client-activesync-events`|top showperc=t showcount=t user_subject,DeviceId|rename DeviceId as "Device", user_subject as "Username"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[ActiveSync - Top Device Types]
disabled = 1
search = `client-activesync-events`|stats count by user_subject,DeviceType|top showperc=t showcount=t DeviceType
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[ActiveSync - Sync Events over Time]
disabled = 1
search = `client-activesync-events`|eval s=1|timechart fixedrange=t bins=60 per_minute(s) by DeviceType
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[ActiveSync - Remote Device Wipes]
disabled = 1
search = `client-activesync-events`|search cs_uri_query="*RemoteWipeRequested*"|table _time,user_subject,DeviceId,DeviceType,c_ip|rename user_subject as "Username",c_ip as "Device IP"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[ActiveSync - User-initiated Device Wipe Requests]
disabled = 1
search = eventtype=client-iis-logs cs_uri_stem="*BlockOrWipeDevice"| `normalize_user` |table _time,user_subject,c_ip|rename user_subject as "Username",c_ip as "User IP"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[EWS - Top Users by RPC Sessions]
disabled = 1
search = `client-ews-events`|top showperc=t showcount=t user_subject,browser,browserversion|rename user_subject as "Username", browser as "Client", browserversion as "Client Version"
dispatch.earliest_time = -4h
dispatch.latest_time = now
is_visible = false

[EWS - Top Users by IP Address and RPC Sessions]
disabled = 1
search = `client-ews-events`|top showperc=t showcount=t user_subject,c_ip|rename c_ip as "IP Address", user_subject as "Username"
dispatch.earliest_time = -4h
dispatch.latest_time = now
is_visible = false

[EWS - Requests over Time]
disabled = 1
search = `client-ews-events`|timechart fixedrange=t bins=120 per_minute(RpcC) as "Requests/min"
dispatch.earliest_time = -4h
dispatch.latest_time = now
is_visible = false

[EWS - Top Operating Systems]
disabled = 1
search = `client-ews-events`|lookup useragent cs_user_agent|stats count by user_subject,os,osvariant,osversion|top showperc=t showcount=t os,osvariant,osversion|rename os as "OS",osvariant as "Variant",osversion as "Version"
dispatch.earliest_time = -4h
dispatch.latest_time = now
is_visible = false

[EWS - Top Mail Clients]
disabled = 1
search = `client-ews-events`|stats count by user_subject,client|top showperc=t showcount=t client
dispatch.earliest_time = -4h
dispatch.latest_time = now
is_visible = false

[Top POP3 Users]
disabled = 1
search = `client-pop-imap-events("POP3")`|top limit=10 showperc=t showcount=t user_subject|rename user_subject as Username,count as "# Logins"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Top IMAP4 Users]
disabled = 1
search = `client-pop-imap-events("IMAP4")`|top limit=10 showperc=t showcount=t user_subject|rename user_subject as Username,count as "# Logins"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Legacy Client Timechart]
disabled = 1
search = `client-pop-imap-events`|eval lcount=1|timechart fixedrange=t bins=120 per_minute(lcount) as "Logins/min" by ProtocolServiceName
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Environment Report - Mailboxes]
disabled = 1
search = eventtype="msexchange-mailbox-usage" User="*"|dedup User|eval mailbox=1|eval mailbox200m=if(TotalItemSize>200000000,1,0)|eval mailbox500m=if(TotalItemSize>500000000,1,0)|eval mailbox1G=if(TotalItemSize>1000000000,1,0)|table User,TotalItemSize,mailbox,mailbox200m,mailbox500m,mailbox1G|addcoltotals labelfield=User label=Totals|search User=Totals|eval avgmailbox=round(TotalItemSize/mailbox)|table mailbox,mailbox200m,mailbox500m,mailbox1G,avgmailbox|rename mailbox as "# Mailboxes", mailbox200m as "# Mailboxes over 200Mb", mailbox500m as "# Mailboxes over 500Mb", mailbox1G as "# Mailboxes over 1Gb", avgmailbox as "Average Mailbox Size"|transpose 5|append [ search eventtype="msexchange-mailbox-usage" User="*"|stats max(TotalItemSize) as maxmailbox|eval column="Maximum Mailbox Size"|eval "row 1"=maxmailbox|table column,"row 1"]|rename column as "Field","row 1" as "Value"
dispatch.earliest_time = -30d
dispatch.latest_time = now
is_visible = false

[Environment Report - Messages]
disabled = 1
search = eventtype=summary-internet-mail|eval D="Internet_".event_id|timechart count by D|join _time [search eventtype=summary-user-mail|eval D="User_".event_id|timechart count by D]|eval 1tr=User_RECEIVE+Internet_RECEIVE|eval 2ir=User_RECEIVE|eval 3er=Internet_RECEIVE|eval 4ts=User_DELIVER+Internet_SEND|eval 5is=User_DELIVER|eval 6es=Internet_SEND|table 1tr,2ir,3er,4ts,5is,6es|addcoltotals labelfield=t label="Totals"|search t="Totals"|table 1tr,2ir,3er,4ts,5is,6es|transpose 6|sort column|eval column=case(column=="1tr","Total Messages Received",column=="2ir","......from Users",column="3er","......via SMTP",column=="4ts","Total Messages Sent",column=="5is","......by Users",column=="6es","......via SMTP")|rename column as "Parameter","row 1" as "Value"
dispatch.earliest_time = -30d
dispatch.latest_time = now
is_visible = false

[Environment Report - Internal Clients]
disabled = 1
search = `clients-environment-report`|rename user_subject AS cs_username | `normalize_user` | where internalevents>0 | stats dc(user_subject) by AccessMethod
dispatch.earliest_time = -30d
dispatch.latest_time = now
is_visible = false

[Environment Report - External Clients]
disabled = 1
search = `clients-environment-report`|rename user_subject AS cs_username | `normalize_user` | where externalevents>0 | stats dc(user_subject) by AccessMethod
dispatch.earliest_time = -30d
dispatch.latest_time = now
is_visible = false

[si-msexchange-internet-mail]
disabled = 1
search = eventtype=smtp-mail|sitimechart count by event_id
cron_schedule = 5 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
enableSched = true
is_visible = false
run_on_startup = false
action.summary_index = 1
action.summary_index._name = summary

[si-msexchange-user-mail]
disabled = 1
search = eventtype=storedriver-mail|sitimechart count by event_id
cron_schedule = 25 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
enableSched = true
is_visible = false
run_on_startup = false
action.summary_index = 1
action.summary_index._name = summary

[si-msexchange-user-population]
disabled = 1
search = eventtype=msexchange-mailbox-usage|eval MailboxSize=TotalItemSize/1048576|sitimechart dc(User), avg(MailboxSize)
cron_schedule = 15 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = +0s
enableSched = true
is_visible = false
run_on_startup = false
action.summary_index = 1
action.summary_index._name = summary

[si-client-users]
disabled = 1
search = `all-client-events-for-user("*")`|fields user_subject,AccessMethod,IPAddress|eval totalevents=1|eval internalevents=`is-internal-ip(IPAddress)`|eval externalevents=1-internalevents|sistats sum(totalevents) as totalevents,sum(internalevents) as internalevents,sum(externalevents) as externalevents by user_subject,AccessMethod
cron_schedule = 0 2 * * *
dispatch.earliest_time = -24h
dispatch.latest_time = +0s
enableSched = true
is_visible = false
run_on_startup = false
action.summary_index = 1
action.summary_index._name = summary

[Public Folder Usage]
disabled = 1
search = eventtype=msexchange-publicfolders FolderPath="*"|stats latest(Accessed) as "Last Accessed",latest(Modified) as "Last Modified",latest(ItemCount) as ItemCount,latest(ItemSize) as ItemSize,latest(DeletedItemCount) as DeletedItemCount,latest(DeletedItemSize) as DeletedItemSize,latest(ContactCount) as ContactCount by Folder,FolderPath,Database|eval iskb=round(ItemSize/(1024*1024),2)|eval Items=ItemCount." (".iskb."MB)"|eval dskb=round(DeletedItemSize/(1024*1024),2)|eval DeletedItems=DeletedItemCount." (".dskb."MB)"|table Folder,FolderPath,Database,"Last Accessed","Last Modified",Items,DeletedItems,ContactCount|rename FolderPath as "Folder Path", DeletedItems as "Deleted Items",ContactCount as "Contacts"
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Unused Mailboxes Report]
disabled = 1
search = `unused-mailboxes-report`
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Litigation Hold Report]
disabled = 1
search = eventtype=msexchange-mailbox-usage LitigationHoldEnabled="True"|dedup User|eval percquota=(TotalItemSize/MinQuota)*100|eval TotalItemMB=TotalItemSize/1048576|eval QuotaMB=MinQuota/1048576|table User,host,Database,TotalItemMB,QuotaMB,percquota|sort TotalItemMB|rename User as Username,host as "Mailbox Host",TotalItemMB as "Mailbox Size (MB)",QuotaMB as "Quota (MB)",percquota as "%age Used"
dispatch.earliest_time = -70m
dispatch.latest_time = now
is_visible = false

[Multi-Mailbox Search Usage Report]
disabled = 1
search = `multimailboxsearch`
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Non-Owner Mailbox Access Report]
disabled = 1
search = `noma-report`
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Lookup - Database Information]
disabled = 1
search = eventtype=msexchange-database-stats \
| stats latest(Active) as Active,latest(MasterType) as MasterType by host,Database \
| eval _key = host . "___" . Database \
| outputlookup dbInformation append=true
cron_schedule = 30 */4 * * *
dispatch.earliest_time = -8h
dispatch.latest_time = now
enableSched = true
run_on_startup = true

[Lookup - User Subject Information]
disabled = 1
search = eventtype=msexchange-mailbox-usage \
    | dedup User \
    | eval cs_username = User \
    | `normalize_user` \
    | stats latest(_time) as time by user_subject \
    | eval _key = user_subject \
    | outputlookup userSubjectInformation append=true
cron_schedule = 0 1 * * *
dispatch.earliest_time = -7d
dispatch.latest_time = now
enableSched = true
run_on_startup = true

[Troubleshooting - Inventory]
disabled = 1
search = eventtype=msexchange-topology|stats dc(host) as hostcount
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false


[Troubleshooting - Performance]
disabled = 1
search = eventtype=msexchange-perfmon|stats count by host|eval host=lower(host)|join type=inner host [search eventtype=msexchange-topology|stats count by host|eval host=lower(host)]|stats dc(host) as hostcount
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Troubleshooting - User Mailboxes]
disabled = 1
search = eventtype=msexchange-mailbox-usage|stats dc(User) as usercount 
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Troubleshooting - User Folders]
disabled = 1
search = eventtype=msexchange-folder-usage|stats dc(User) as usercount
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Troubleshooting - Message Tracking]
disabled = 1
search = eventtype=msexchange-msgtrack|stats dc(host) as hostcount
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Troubleshooting - Web Logs]
disabled = 1
search = eventtype=client-iis-logs|stats dc(host) as hostcount
dispatch.earliest_time = -24h
dispatch.latest_time = now
is_visible = false

[Static Health Overview - Message Processing Rate]
disabled = 1
search = eventtype=storedriver-mail|stats dc(message_id) as count|eval count=count*60|`msgs-per-hr-gauge`
dispatch.earliest_time = -1m
dispatch.latest_time = now
is_visible = false