Created
October 13, 2019 03:45
-
-
Save bill-long/9293d555ed9c821449bc810bbc30ad36 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param($IpAddress, $File) | |
| function OutputItems($start, $end, $items) { | |
| for ($x = $start; $x -le $end; $x++) { | |
| $items[$x] | |
| } | |
| } | |
| Write-Progress -Activity "Reading file" | |
| $sw = [System.Diagnostics.Stopwatch]::StartNew() | |
| if (-not [string]::IsNullOrEmpty($IpAddress)) { | |
| $results = (Select-String $IpAddress $File -SimpleMatch).Line | Select-String "^([\d|\-]+ [\d|:]+) [\d|\.]+ \w+ /mapi/emsmdb/ MailboxId=([\d|\w|\-]+)@[\w|\.]+ 444 ([\d|\w|\\]+) [\d|\.]+ \S+ - \d+ \d+ \d+ \d+ ([\d|\.]+)," | ForEach-Object { | |
| New-Object psobject -Property @{ | |
| Time = [DateTime]::Parse($_.Matches.Groups[1].Value) | |
| Mailbox = $_.Matches.Groups[2].Value | |
| User = $_.Matches.Groups[3].Value | |
| ClientIP = $_.Matches.Groups[4].Value | |
| } | |
| } | |
| } | |
| else { | |
| $results = Select-String "^([\d|\-]+ [\d|:]+) [\d|\.]+ \w+ /mapi/emsmdb/ MailboxId=([\d|\w|\-]+)@[\w|\.]+ 444 ([\d|\w|\\]+) [\d|\.]+ \S+ - \d+ \d+ \d+ \d+ ([\d|\.]+)," .\W3SV2_u_ex190924_x.log | ForEach-Object { | |
| New-Object psobject -Property @{ | |
| Time = [DateTime]::Parse($_.Matches.Groups[1].Value) | |
| Mailbox = $_.Matches.Groups[2].Value | |
| User = $_.Matches.Groups[3].Value | |
| ClientIP = $_.Matches.Groups[4].Value | |
| } | |
| } | |
| } | |
| Write-Host "Reading file took $($sw.Elapsed.TotalSeconds) seconds" | |
| Write-Progress -Activity "Grouping by IP" | |
| $sw.Restart() | |
| $results = $results | Group-Object ClientIP | |
| Write-Host "Grouping results took $($sw.Elapsed.TotalSeconds) seconds" | |
| $minDiff = [TimeSpan]::FromSeconds(355) | |
| $maxDiff = [TimeSpan]::FromSeconds(365) | |
| $progressCount = 0 | |
| $sw.Restart() | |
| $results | ForEach-Object { | |
| Write-Progress -Activity "Checking for NotificationWaits" -Status ("$progressCount / $($results.Count)") -PercentComplete ($progressCount * 100 / $results.Count) | |
| $beginIndex = 0 | |
| for ($x = 1; $x -lt $_.Group.Count; $x++) { | |
| $timeDiff = $_.Group[$x].Time - $_.Group[$x - 1].Time | |
| if (-not ($timeDiff -gt $minDiff -and $timeDiff -lt $maxDiff)) { | |
| if ($x - $beginIndex -gt 4) { | |
| OutputItems $beginIndex ($x - 1) $_.Group | |
| } | |
| $beginIndex = $x | |
| } | |
| } | |
| $progressCount++ | |
| if (($_.Group.Count - 1) - $beginIndex -gt 4) { | |
| OutputItems $beginIndex ($_.Group.Count - 1) $_.Group | |
| } | |
| } | |
| $sw.Stop() | |
| Write-Host "Finding NotificationWait patterns took $($sw.Elapsed.TotalSeconds) seconds" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment