JustinGrote/Format-ExchangeMessageTrace.ps1

## Format-ExchangeMessageTrace.ps1
<#
.SYNOPSIS
Takes an Exchange Extended Message Trace and parses it into usable powershell objects
#>
[CmdletBinding()]
param (
    #Path to the extended message trace CSV
    [Parameter(Mandatory)][String[]]$CSVPath
)

process {
    foreach ($CSVPathItem in $CSVPath) {
        $emt = import-csv $CSVPathItem -ErrorAction Stop
        foreach ($emtItem in $emt) {
            #Convert the report line item into a hashtable to add more properties
            $emtProps = $emtItem.psobject.properties |
                foreach -begin {$h=[ordered]@{}} -process {$h."$($_.Name)" = $_.Value} -end {$h}

            #Blank out Extended Properties. Makes sure all objects have these properties for sort/filter purposes
            $emtProps.SpamFilterReport = $null

            $emtCustomData = $emtItem.custom_data -split ';'
            foreach ($emtCustomDataItem in $emtCustomData) {
                $ResultProps = [ordered]@{}
                if ($emtCustomDataItem -match '^S:([A-Z]{3,4})=(.*)') {
                    $ResultProps.Agent = $matches[1]
                    $emtCustomDataItem = $matches[2]
                }

                #Parser for the Spam Filter Agent
                if ($ResultProps.Agent -match 'SFA') {
                    $ResultProps.Agent = "SpamFilter"
                    $SFAData = $emtCustomDataItem.split("|")

                    #Spam Engine (SUM) means multiple
                    $ResultProps.Engine = $SFAData[0]

                    #Ascribe all individual properties
                    $SFAData |
                        where {$PSItem -notmatch '^(SUM|SFS|LAT)'} |
                        foreach {
                            $SFADataItem = $PSItem -split '='
                            if ($SFADataItem.count -eq 0) {
                                write-error "SFA No Value Found"
                                return;
                            }
                            if ($SFADataItem.count -ne 2) {
                                $SFAValue = $null
                            } else {
                                $SFAValue = $SFADataItem[1]
                            }
                            $ResultProps.($SFADataItem[0]) = $SFAValue
                        }

                    #Convert the matched Spam Rules to an arrayed property
                    $ResultProps.SFS = @()
                    $SFAData |
                        where {$PSItem -match 'SFS'} |
                        foreach {
                            $ResultProps.SFS += ($PSItem -split '=')[1]
                        }

                    #Convert the matched LAT to an arrayed property
                    $ResultProps.LAT = @()
                    $SFAData |
                        where {$PSItem -match 'LAT'} |
                        foreach {
                            $ResultProps.LAT += ($PSItem -split '=')[1]
                        }
                    #Construct the final result and output it
                    $emtProps.SpamFilterReport = [PSCustomObject]$ResultProps
                }
            }
            [PSCustomObject]$emtProps
        }
    }
}
	<#
	.SYNOPSIS
	Takes an Exchange Extended Message Trace and parses it into usable powershell objects
	#>
	[CmdletBinding()]
	param (
	#Path to the extended message trace CSV
	[Parameter(Mandatory)][String[]]$CSVPath
	)

	process {
	foreach ($CSVPathItem in $CSVPath) {
	$emt = import-csv $CSVPathItem -ErrorAction Stop
	foreach ($emtItem in $emt) {
	#Convert the report line item into a hashtable to add more properties
	$emtProps = $emtItem.psobject.properties \|
	foreach -begin {$h=[ordered]@{}} -process {$h."$($_.Name)" = $_.Value} -end {$h}

	#Blank out Extended Properties. Makes sure all objects have these properties for sort/filter purposes
	$emtProps.SpamFilterReport = $null

	$emtCustomData = $emtItem.custom_data -split ';'
	foreach ($emtCustomDataItem in $emtCustomData) {
	$ResultProps = [ordered]@{}
	if ($emtCustomDataItem -match '^S:([A-Z]{3,4})=(.*)') {
	$ResultProps.Agent = $matches[1]
	$emtCustomDataItem = $matches[2]
	}

	#Parser for the Spam Filter Agent
	if ($ResultProps.Agent -match 'SFA') {
	$ResultProps.Agent = "SpamFilter"
	$SFAData = $emtCustomDataItem.split("\|")

	#Spam Engine (SUM) means multiple
	$ResultProps.Engine = $SFAData[0]

	#Ascribe all individual properties
	$SFAData \|
	where {$PSItem -notmatch '^(SUM\|SFS\|LAT)'} \|
	foreach {
	$SFADataItem = $PSItem -split '='
	if ($SFADataItem.count -eq 0) {
	write-error "SFA No Value Found"
	return;
	}
	if ($SFADataItem.count -ne 2) {
	$SFAValue = $null
	} else {
	$SFAValue = $SFADataItem[1]
	}
	$ResultProps.($SFADataItem[0]) = $SFAValue
	}

	#Convert the matched Spam Rules to an arrayed property
	$ResultProps.SFS = @()
	$SFAData \|
	where {$PSItem -match 'SFS'} \|
	foreach {
	$ResultProps.SFS += ($PSItem -split '=')[1]
	}

	#Convert the matched LAT to an arrayed property
	$ResultProps.LAT = @()
	$SFAData \|
	where {$PSItem -match 'LAT'} \|
	foreach {
	$ResultProps.LAT += ($PSItem -split '=')[1]
	}
	#Construct the final result and output it
	$emtProps.SpamFilterReport = [PSCustomObject]$ResultProps
	}
	}
	[PSCustomObject]$emtProps
	}
	}
	}