I'm trying to make an alert for when someone emails more then 50 people within a one hour time span. The issue is that I have multiple values in the recipients field per event. I am dealing with Exchange logs and I would like to just do something like where count > 50. Any one run into this issue before?
sender recipients
User1 bla1;bla2;blah3;blah4
User1 blah4;blah9
user2 user1;blah5
user1 blah1
↧