Common Access Methods
eventtype="client-*-usage"
| eval cs_username=if (isnotnull(mvfind(eventtype, "client-popimap-usage")) ,mvindex(Account_Domain,-1)."\\".mvindex(Account_Name,-1),cs_username)
| `normalize_user`
| rex field=eventtype "client-(?<AccessMethod>[^-]+)-usage"
| stats dc(user_subject) as "# Unique Users" by AccessMethod
| rename AccessMethod as "Access Method"
| table "Access Method", "# Unique Users"
| sort -"# Unique Users"
Aggregate Mailbox Size of Top 10 users over Time
`mailbox-info-for-user("*")`
| timechart useother=f latest(TotalItemSize) as LSize by user_subject
| filldown
| addtotals
| fields _time, Total
| eval Total=Total/1048576
| rename Total as "Total Size of All Mailboxes"
Top Mailboxes by Size
eventtype="msexchange-mailbox-usage"
| rename User as cs_username
| `normalize_user`
| stats latest(TotalItemSize) as MailboxSize by user_subject
| sort -MailboxSize
| eval "Username" = user_subject
| eval "Mailbox Size (MB)" = round(MailboxSize/1048576)
| table "Username", "Mailbox Size (MB)"
client_byusername?autoRun=true&form.username=$row.Username$&earliest=-24h&latest=now
Browser Usage
`single-client-events-for-user(owa,"*")`
| stats count by cs_user_agent
| lookup useragent cs_user_agent
| top showcount=f showperc=t percentfield="Percent" limit=10 browser,browserversion
| rename browser as "Browser", browserversion as "Version"
Desktop OS Usage
`single-client-events-for-user(owa,"*")`
| stats count by cs_user_agent
| lookup useragent cs_user_agent
| top showcount=f showperc=t percentfield="Percent" limit=10 os,osvariant,osversion
| rename os as "Operating System", osvariant as "Variant", osversion as "Version"
Mobile OS Usage
`single-client-events-for-user(activesync,"*")`
| top showcount=f showperc=t percentfield="Percent" limit=10 DeviceId,DeviceType
| rename DeviceType as "Device Type",DeviceId as "Device ID"