Home » Exchange Server » Searching Message Tracking Logs by Time and Date Range

Searching Message Tracking Logs by Time and Date Range

I’ve previously written about message tracking in Exchange Server as well as some tips on how to search message tracking logs using PowerShell.

In this article I will demonstrate a few different ways that you can specify time and date ranges for message tracking log searches. This is a useful technique because it can speed up your searches by minimizing the amount of log data that the search inspects.

As an example of this speed difference, here is the result of Get-MessageTrackingLog for all logs on a single server.

In contrast, here is a search of only the last 24 hours of message tracking logs.

If you’re wondering about that “AddHours(-24)” bit don’t worry, we’ll get to that shortly.

You can see that in a very large environment you will save yourself a lot of time by knowing how to narrow your message tracking log searches with time and date ranges.

Get-MessageTrackingLog Time/Date Range Parameters

There are two parameters for specifying time and date ranges when running the Get-MessageTrackingLog cmdlet.

  • -Start – the point in time to start returning log entries. If omitted the search will begin at the first entry of the oldest message tracking log file on the server.
  • -End – the point in time to stop returning log entries, up to but not including the time/date specified. If omitted the search will end at the last entry of the latest message tracking log file on the server.

Both parameters accept values in the System.DateTime format, meaning mm/dd/yyyy hh:mm:ss. An example of a valid date would be “9/19/2012”.

Another example would be “9/19/2012 13:00:00”. Quotes need to be used when specifying both a date and time.

Specifying Relative Time/Date Ranges using Get-Date

Often you will find yourself in situations where you want to search the logs for a period of time without having to work out the exact start or end time for the search.

For example, you may wish to search only the last hour of logs because somebody has asked you to help troubleshoot a lost email that they only sent within the last hour.

In these situations the Get-Date cmdlet can be used to provide relative time/date ranges. This is actually how I perform most of my own searches.

On its own Get-Date returns a DateTime object (and outputs a human-friendly version of it to your shell).

We also get several methods that are of use to us in this situation.

I tend to use the AddHours and AddDays methods the most. Here is an example of Get-Date on its own, and then Get-Date using the AddHours method to subtract one hour.

So now let’s combine that with the Get-MessageTrackingLog -Start parameter to search the message tracking logs only for the last hour.

Pretty simple stuff right? So let’s look at some more examples.

Remember as we go through each of these examples that you may need to use “-ResultSize Unlimited” for searches that are expected to return more than 1000 results. As a general rule I use it on all searches just to save time.

Searching Message Tracking Logs for a Single Day

In this scenario you might be tempted to specify the same value as both the start and end date, but this will return an error.

The correct method is to specify the next day as the end date, remembering that the time/date value used for -End is excluded from the results.

In the above example only log entries occurring between 9/17/2012 00:00:00 and 9/17/2012 23:59:59 will be returned. Obviously another way of achieving that is to specify those exact hours/minutes/seconds in your search.

That is more typing for the exact same result, so you may as well stick to the more efficient method of simply specifying the date on its own.

Searching Between Two Specific Times/Dates

As a follow on from the previous example it should by now be clear that you can search between any precise start and end times.

Just remember that the hh:mm:ss can be either 24-hour time or AM/PM. If you do not specify AM/PM and enter an ambiguous time such as “11:59:59” then the time will be interpreted as AM.

For example, this will search to 11:59:59 PM.

And this will search to 11:59:59 PM, because the time is specified using 24-hour format.

But this will search to 11:59:59 AM, because ambiguous times will default to AM.

Searching Between a Fixed and a Relative Time/Date Range

You may also wish to combine fixed and relative time/date values in your search.

For example, a search of all messages starting from noon on 17th September and ending 8 hours later.

This may seem a bit of a strange example, but the reason I’m using it is to demonstrate one little gotcha with DateTime values.

On my server the regional settings as set to “English (Australia)” for time, meaning the format is dd/mm/yyyy instead of the US mm/dd/yyy.

This means that I need to use US format for Get-MessageTrackingLog, but Australian format for Get-Date.

But I can avoid this confusion and also save a little typing by capturing the start date in a variable first, that I can then re-use in my Get-MessageTrackingLog command, because once the DateTime object has been capture in a variable the regional settings become irrelevant and each cmdlet is able to interpret it correctly regardless.

This habit also gives you the advantage of a fixed point in time if you were running multiple searches moving through the logs hour by hour as I sometimes do.

Filtering Search Results using Where-Object

As a final example remember that a good practice is to capture your message tracking log search results into a variable so that you can quickly and easily filter those results down further without needing to re-run your search.

You can then simply use Where-Object to return more specific time/date ranges from the data already captured in that variable, using the TimeStamp value.

For example, where in the previous command I collected all message tracking log entries for the 17th September, I can now filter that down to only those entries that were written between 14:00 and 14:05.

When using comparison operators against DateTime values remember that -gt (greater than) means “after/later than” and -lt (less than) means “before/earlier than”.

Summary

As you can see when you become familiar with the use of time/date ranges you can perform very fast, very precise message tracking log searches on your Exchange Servers using PowerShell.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

9 comments

  1. Ios. says:

    Great article, as always, Thanks Paul.

    Only this morning I was playing with the MTL in 2010 and came up with the following which may be of help to others. It’s very basic, no error checking, but when saved as a .ps1 script, lets you grab the last x minutes of logs across all transport servers. The key issue I was trying to solve was that when searching multiple transport servers at the same time, you’d get all of the results from the first server, then all from the 2nd, etc.., which when you’re looking for a particular time, can be a pain. It isn’t pretty, and I probably wouldn’t use it where there are more than a couple of hub servers, but it works :

    [PS] C:Scripts>.Get-MTLLastMins.ps1 15
    #copy the rest to a script
    param([int]$mins=60); #default to 60mins if no number added
    Write-Host “Last $mins minutes of MessageTrackingLog across all Transport Servers.”
    Get-TransportServer | Get-MessageTrackingLog -Start (Get-Date).AddMinutes(-$mins) -Resultsize unlimited | Select-Object TimeStamp,EventId,Source,@{Name=”MessageSubject”;Expression={($_.MessageSubject).substring(0,25)}},@{Name=”Sender”;Expression={($_.Sender).substring(0,30)}},@{Name=”ClientHost”;Expression={($_.ClientHostname).substring(0,14)}},@{Name=”ServerHost”;Expression={($_.ServerHostName)}},Recipients | Sort TimeStamp | ft
    #end of script

  2. dosh says:

    back in the days of exchange 2003, one did not have to bother with such scripting as message tracking was more user friendly – I still regret having to upgrade to 2010.
    Why did 2010 developers decided to make things more difficult?

  3. Pravin says:

    I have to generate spam report with the message tracking logs, i am able to get the report with count, with per day but in the report i am not able to put the Date. can you help me in this.

    I have ran below command.

    Get-TransportServer -identity hub1 |Get-MessageTrackingLog -EventID send -Recipients spam@abc.com -Start (Get-Date).AddDays(-1) -End (Get-Date) -Resultsize unlimited | Group-Object ClientHostname

    It is giving me below output.

    Count Name Group
    —– —- —–
    125 Hub1 {Microsoft.Exchange.Management.TransportLogSearchTasks.MessageTrackingEvent,

    i want in this report just Date which will give me the date, count, server.

    Thanks in advance.

  4. Jim says:

    When I include the Timestamp field in the format-table output, I often find that rows are out of order even though I am sorting the Timestamp field. They are apparently out of order because it is only resolving the time to hh:mm:ss, not hh:mm:ss.000 syntax. Is there a way to get the Timestamp column to show the latter syntax to get the rows in the correct order?

Leave a Reply

Your email address will not be published. Required fields are marked *