Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Litigation Hold status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a litigation hold report and I need to display if the account is disable. I created a lookup table so I can display user full and if the account is disable. when I pull data from the lookup table I can't display the status
Here is my search
eventtype=msexchange-mailbox-usage Database="*" Database="*" LitigationHoldEnabled=True |dedup User
|table User, TotalDeletedItemSize, TotalItemSize, Database, Total, LitigationHoldEnable
|addtotals fieldname=Total
| lookup ActiveDirectoryUsers.csv User OUTPUT name
|stats max(Total) as Total by name, Database
|eval Total=round((Total/1000/1000/1000),2)
|rename name as "Mailbox User Name",Total as "Mailbox Size (GB)"
in the lookup table I have this: name, User, status
for example : name: Rumer, Shelly, status: disable
in my final report all I see the name, database, total
i'm not able to display the status
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype=msexchange-mailbox-usage Database="*" Database="*" LitigationHoldEnabled=True
| dedup User
| table User, TotalDeletedItemSize, TotalItemSize, Database, Total, LitigationHoldEnable
| addtotals fieldname=Total
| stats max(Total) as Total by User, Database
| lookup ActiveDirectoryUsers.csv User OUTPUT name, status
| eval Total=round((Total/1000/1000/1000),2)
| rename name as "Mailbox User Name",Total as "Mailbox Size (GB)"
| fields - User
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype=msexchange-mailbox-usage Database="*" Database="*" LitigationHoldEnabled=True
| dedup User
| table User, TotalDeletedItemSize, TotalItemSize, Database, Total, LitigationHoldEnable
| addtotals fieldname=Total
| stats max(Total) as Total by User, Database
| lookup ActiveDirectoryUsers.csv User OUTPUT name, status
| eval Total=round((Total/1000/1000/1000),2)
| rename name as "Mailbox User Name",Total as "Mailbox Size (GB)"
| fields - User
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
