Deploiement_Server/deployment-apps/DA-ITSI-CP-microsoft-exchange/default/data/ui/views/client_overview.xml

<form version="1.1">
    <label>User Behavior Overview - Microsoft Exchange</label>
    <fieldset autoRun="true">
        <input type="time">
		<label></label>
            <default>Last 24 hours</default>
        </input>
    </fieldset>
    <row>
        <table>
            <title>Common Access Methods</title>
            <search>
                <query>
                    eventtype="client-*-usage"
                   | eval cs_username=if (isnotnull(mvfind(eventtype, "client-popimap-usage")) ,mvindex(Account_Domain,-1)."\\".mvindex(Account_Name,-1),cs_username)
                   | `normalize_user`
                   | rex field=eventtype "client-(?&lt;AccessMethod&gt;[^-]+)-usage"
                   | stats dc(user_subject) as "# Unique Users" by AccessMethod
                   | rename AccessMethod as "Access Method"
                   | table "Access Method", "# Unique Users"
                   | sort -"# Unique Users"
                </query>
            </search>
            <option name="count">10</option>
            <option name="rowNumbers">false</option>
            <option name="showPager">false</option>
        </table>
        <chart>
            <title>Aggregate Mailbox Size of Top 10 users over Time</title>
            <search>
                <query>
`mailbox-info-for-user("*")`
| timechart useother=f latest(TotalItemSize) as LSize by user_subject
| filldown
| addtotals
| fields _time, Total
| eval Total=Total/1048576
| rename Total as "Total Size of All Mailboxes"
                </query>
            </search>
            <option name="height">240</option>
            <option name="charting.axisTitleX.text">Time</option>
            <option name="charting.axisTitleY.text">MB</option>
            <option name="charting.chart">area</option>
            <option name="charting.legend.placement">bottom</option>
            <option name="charting.chart.nullValueMode">connect</option>
        </chart>
    </row>
    <row>
        <table>
            <title>Top Mailboxes by Size</title>
            <search>
                <query>
eventtype="msexchange-mailbox-usage"
| rename User as cs_username
| `normalize_user`
| stats latest(TotalItemSize) as MailboxSize by user_subject
| sort -MailboxSize
| eval "Username" = user_subject
| eval "Mailbox Size (MB)" = round(MailboxSize/1048576)
| table "Username", "Mailbox Size (MB)"
                </query>
            </search>
            <option name="count">10</option>
            <option name="rowNumbers">false</option>
            <option name="showPager">false</option>
            <drilldown>
                <link>client_byusername?autoRun=true&amp;form.username=$row.Username$&amp;earliest=-24h&amp;latest=now</link>
            </drilldown>
        </table>
        <table>
            <title>Browser Usage</title>
             <search>
                <query>
`single-client-events-for-user(owa,"*")`
| stats count by cs_user_agent
| lookup useragent cs_user_agent
| top showcount=f showperc=t percentfield="Percent" limit=10 browser,browserversion
| rename browser as "Browser", browserversion as "Version"
                </query>
            </search>
            <option name="count">10</option>
            <option name="rowNumbers">true</option>
            <option name="showPager">false</option>
        </table>
    </row>
    <row>
        <table>
            <title>Desktop OS Usage</title>
            <search>
                <query>
`single-client-events-for-user(owa,"*")`
| stats count by cs_user_agent
| lookup useragent cs_user_agent
| top showcount=f showperc=t percentfield="Percent" limit=10 os,osvariant,osversion
| rename os as "Operating System", osvariant as "Variant", osversion as "Version"
                </query>
            </search>
            <option name="count">10</option>
            <option name="rowNumbers">true</option>
            <option name="showPager">false</option>
        </table>
        <table>
            <title>Mobile OS Usage</title>
            <search>
                <query>
`single-client-events-for-user(activesync,"*")`
| top showcount=f showperc=t percentfield="Percent" limit=10 DeviceId,DeviceType
| rename DeviceType as "Device Type",DeviceId as "Device ID"
                </query>
            </search>
            <option name="count">10</option>
            <option name="rowNumbers">true</option>
            <option name="showPager">false</option>
        </table>
    </row>
</form>