Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Litigation Hold status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a litigation hold report and I need to display if the account is disable. I created a lookup table so I can display user full and if the account is disable. when I pull data from the lookup table I can't display the status
Here is my search
eventtype=msexchange-mailbox-usage Database="*" Database="*" LitigationHoldEnabled=True |dedup User
|table User, TotalDeletedItemSize, TotalItemSize, Database, Total, LitigationHoldEnable
|addtotals fieldname=Total
| lookup ActiveDirectoryUsers.csv User OUTPUT name
|stats max(Total) as Total by name, Database
|eval Total=round((Total/1000/1000/1000),2)
|rename name as "Mailbox User Name",Total as "Mailbox Size (GB)"
in the lookup table I have this: name, User, status
for example : name: Rumer, Shelly, status: disable
in my final report all I see the name, database, total
i'm not able to display the status
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype=msexchange-mailbox-usage Database="*" Database="*" LitigationHoldEnabled=True
| dedup User
| table User, TotalDeletedItemSize, TotalItemSize, Database, Total, LitigationHoldEnable
| addtotals fieldname=Total
| stats max(Total) as Total by User, Database
| lookup ActiveDirectoryUsers.csv User OUTPUT name, status
| eval Total=round((Total/1000/1000/1000),2)
| rename name as "Mailbox User Name",Total as "Mailbox Size (GB)"
| fields - User
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype=msexchange-mailbox-usage Database="*" Database="*" LitigationHoldEnabled=True
| dedup User
| table User, TotalDeletedItemSize, TotalItemSize, Database, Total, LitigationHoldEnable
| addtotals fieldname=Total
| stats max(Total) as Total by User, Database
| lookup ActiveDirectoryUsers.csv User OUTPUT name, status
| eval Total=round((Total/1000/1000/1000),2)
| rename name as "Mailbox User Name",Total as "Mailbox Size (GB)"
| fields - User
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
