Compartir a través de


Message Tracking by Subject

This post talks about how we can do Message Tracking by Subject line

Let's talk about a scenario where we want to message tracking using Subject line. We don’t want to search using any other means like Message ID or Recipient information. We are trying to achieve this in Office 365 environment where we have more than 20K users

Points to ponder upon:

================

* We can do message tracking using Message ID, sender, recipient, .. etc, but there is no direct way in GUI or Powershell to track the message using Subject.

* Historical search requires us to specify sender or recipient information

* We can use eDiscovery, but as of now we have a hard limit of 10 K mailboxes which eDiscovery searches, so we had to (not so simple!!! )

Get all the users

Divide them to 10k Batches

Run the Discovery search

Collate information from all the searches

Not at all easy or state forward :)

 

* We can use Search-Mailbox command, use that in a loop to search all mailboxes.

Since we have 20K + mailboxes this search would take a lot of time to complete

Even though we might need to trace only specific period i.e.. eg Last 2 days, last 5 hours this search will perform a search for entire mailbox

Since it runs continuously for a long time we need to introduce Sleep in powershell to avoid throttling. This would further introduce delay

* We can run the below command to get the required results (This won't work in our scenario as we have 20 K users)

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -Page $c | Where {$_.Subject -like "*example*"} | ft -Wrap

 

* When we have huge number of users we will not get the required results as our environment would produce extremely huge number of results which spanned multiple pages. By default only 1000 items will be present in a page and only the first page will be displayed.

We can increase the number of items to be displayed to 5000, using the below command, still you might not get the required result if the output spans multiple pages.

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -PageSize 5000 | Where {$_.Subject -like "*example*"} | ft -Wrap

Resolution

========

Created a below script to resolve the issue

$dateEnd = get-date # Get current date

$dateStart = $dateEnd.AddHours(-10) # Minus number of hours from the current time you want to include in search

for($c=1;$c -lt 1001; $c++) # For loop goes for 1000 iterations as Maximum number of pages there could be 1000

  {

    if((Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -PageSize 5000 -Page $c).count -gt 0)             

# If the current page we pulled has some entries, then enter the loop and search for Subject name

{

  Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -PageSize 5000 -Page $c | Where {$_.Subject -like "*example*"} | ft -Wrap

}

else

   {break;}

}  

 Note: We can copy the results to a file, but not so easy and straight forward.

Comments

  • Anonymous
    August 13, 2015
    thanks
    very interesting and useful
  • Anonymous
    August 13, 2015
    question:
    what does -Page $c mean?
    Thanks
  • Anonymous
    August 13, 2015
    Hello turbomcp
    -Page $c refers to the cth page we are checking which is currently loaded in memory.
  • Anonymous
    November 24, 2015
    thanks
    btw check the new start-historicalsearch(max 90 days) wouldn't it solve this?
  • Anonymous
    November 24, 2015
    forget my last comment, didn't read what you were trying to accomplish.
    Thanks again for sharing this,great stuff
  • Anonymous
    May 09, 2016
    Thanks Turbomcp !!!
  • Anonymous
    November 16, 2016
    you are running trace twice ....it will take huge time to finish .....alternatively you could store the first result in variable and check with condition by using cound
    • Anonymous
      November 16, 2016
      Yes Vijay we can do that. That would look something like below, but i would have to test that out$dateEnd = get-date # Get current date$dateStart = $dateEnd.AddHours(-10) # Minus number of hours from the current time you want to include in search for($c=1;$c -lt 1001; $c++) # For loop goes for 1000 iterations as Maximum number of pages there could be 1000 {$msg =Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd -PageSize 5000 -Page $c if($msg.count -gt 0) # If the current page we pulled has some entries, then enter the loop and search for Subject name{ $msg | Where {$_.Subject -like "example"} | ft -Wrap}else {break;}}
  • Anonymous
    April 09, 2017
    I am tracking the message bases on subject, but result is not getting. However i have tracked bases on sender address i am getting it.Get-MessageTrace -StartDate 04/03/2017 -EndDate 04/10/2017 |Where {$_.Subject -eq "Mail Storage Exceeded !!!"} | Select Received, SenderAddress, RecipientAddress, Subject, StatusTried with: -PageSize 1000 as well.Thank you
    • Anonymous
      April 09, 2017
      Please assist me what is wrong in my powershell
      • Anonymous
        June 09, 2017
        Try to reduce the date range. Once you have got the email based on Sender, update the date to the single day and check the output. We need to do Trial and error, before we find out what is the issue
  • Anonymous
    April 24, 2017
    Thanks for the script. It's helpful. How hard would it be to export it to CSV? That would be helpful as well. Hope it's not too hard?
    • Anonymous
      June 09, 2017
      Not hard and not straight forward either. In every iteration we need to get the results appened to a csv file