MailTrafficTop report
The MailTrafficTop REST URI provides summary information about the users sending and receiving the greatest number of email messages in the organization. The start and end date/time of the report can be specified in the request, as can the time period for which the data is aggregated.
Applies to: Office 365
In this article
REST URIs
Fields
Remarks
Examples
Input parameters and report output columns
Compatibility
Corresponding Windows PowerShell cmdlets
Permissions
Data granularity, persistence, and availability
REST URIs
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop[?ODATA options]
Fields
The following fields can be specified in $select, $filter, and $orderby ODATA2 query options. All fields are returned if no $select option is provided.
Name |
WCF Type* |
EDM Type* |
[In/Out]** Description |
Example values |
Added in service version |
|---|---|---|---|---|---|
AggregateBy |
string |
None specified |
[In] Indicates whether to combine data into report entries covering full days. The only $filter values allowed are Day and Hour. When not supplied, the report aggregates over 1-hour periods. When included in a $select option, this field always returns null. See the "Remarks" section for more information. |
Day or Hour |
2013-V1 |
Date |
System.DateTime |
Edm.DateTime |
[In/Out] The date and time the message was detected as being spam. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
Direction |
string |
None specified |
[In/Out] Specifies whether the email was being sent to (Inbound) or from (Outbound) the organization when it was detected as being spam. |
Values are restricted to Inbound and Outbound |
2013-V1 |
Domain |
string |
None specified |
[In/Out] The fully qualified domain name that was processing the email. |
example.onmicrosoft.com |
2013-V1 |
EndDate |
System.DateTime |
Edm.DateTime |
[In] This field is used to limit the report period. Use this field in a $filter query option to set the end date and time of the reporting period. If you supply EndDate in the $filter option, you must also supply StartDate. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
EventType |
string |
None specified |
[In/Out] The type of scanning event logged. For information about valid EventType values, see MailFilterList report. |
SpamContentFiltered, SpamIPBlock |
2013-V1 |
MessageCount |
int |
Edm.Int64 |
[In/Out] The number of messages that fit the categories indicated by the other fields, over the aggregating period. |
1254 |
2013-V1 |
Name |
string |
None specified |
The SMTP email address of the user associated with the messages summarized in the report entry. |
userone@example.com |
2013-V1 |
Organization |
string |
None specified |
[In/Out] The fully qualified domain name that was processing the email. |
example.onmicrosoft.com |
2013-V1 |
StartDate |
System.DateTime |
Edm.DateTime |
[In] This field is used to limit the report period. Use this field in a $filter query option to set the start date and time of the reporting period. If you provide a StartDate in the $filter option, you must also specify an EndDate. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
SummarizeBy |
string |
None specified |
[In] The report field specified in the $filter option using this field determines how the report entries are combined to form a summary. See the "Remarks" section for more information. When included in a $select option, this field always returns null. |
Action, EventType, Domain, and Direction are the only allowed values that can be used in a $filter option with this field |
2013-V1 |
*The WCF Type refers to the .NET Framework data type assigned to the field when you create a Windows Communication Foundation (WCF) Service Reference in Visual Studio. The EDM Type refers to the ADO.NET Entity Data Model (EDM) types returned in Atom-formatted reports.
**For information about [In/Out] indicators, see the "Input parameters and report output columns" section.
Remarks
Each entry in the report includes several fields of metadata. For more information see Common metadata returned by the Office 365 Reporting web service.
The Date field indicates when the messages were handled by the Office 365 system, and are reported in the time zone of those servers.
The ODATA $orderby option does not function with this report.
Using StartDate and EndDate
The StartDate and EndDate fields do not provide useful information in the report results, and are always set to 0001-01-01T00:00:00Z in the report output. They are intended to enable easy restriction of the reporting time window, and provide finer precision than would be available in a "daily" report.
This can be especially helpful, for example, when recording email-based denial-of-service attacks on an hourly basis. When using these fields, you must include both in the $filter option. They are both considered optional, but if you provide one, you have to provide the other. If the StartDate/EndDate pair are not provided in the query, the default reporting time period is the previous two weeks. The "Examples" section later in this topic shows how to use the StartDate and EndDate fields.
Using the AggregateBy field
The MailTrafficTop report returns summaries of the highest-message count users of the Office 365 system. Each event is recorded with its Action, Event, Date, Sender, and so on. The data recorded by Office 365 includes the exact date and time of each event. The "detail" reports such as MailDetailMalware provide lists of specific events and their exact times. The "traffic" reports, such as MailTrafficTop, summarize and can provide counts of those events over two durations: hour and day. You specify which duration to use in the $filter query option, as shown in the following example. If no AggregateBy comparison is included in the $filter option, the default Hour is used.
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop?$filter=AggregateBy eq 'Day'
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop?$filter=AggregateBy eq 'Hour'
Using the SummarizeBy field
The SummarizeBy field enables you to "collapse" the report output on a specified field name. For example, let’s say there were 200 inbound and 100 outbound emails during a single day-long reporting period. If your query includes $filter=AggregateBy eq ‘Day’, the report would return two separate entries for that day: one for inbound emails showing a MessageCount of 200 and a Direction of Inbound, and another entry for outbound emails showing a MessageCount of 100 and a Direction of Outbound. If you also provide the SummarizeBy field in the $filter option, as in SummarizeBy eq ‘Direction’, the report would then include only one entry for that day, with an empty Direction field, and a MessageCount of 300. The Direction field is empty, because the entry summarizes both Direction eq ‘Inbound’ message counts and Direction eq ‘Outbound’ message counts together.
Only the following fields are supported for use with SummarizeBy.
Action
EventType
Direction
Domain
Your requests can include more than one of the allowed fields to summarize, as in the following $filter option.
$filter=SummarizeBy eq 'EventType,Action'
If the request uses SummarizeBy on a field, and also includes that field name in the $select option, the field will always be reported with an empty value.
The following request shows how to request the daily summary of top email users, with just the Name, Date, Direction, and MessageCount fields returned. The results are to be aggregated by day. Line breaks were added to the request for clarity.
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop?
$select= Date,Name,Direction,MessageCount&
$filter=AggregateBy%20eq%20'Day'&
$format=Atom
The following shows the results of the request. To simplify the results, most of the metadata elements have been removed. Note there are two entries, one with Direction of Inbound, and the other for the same day with a Direction of Outbound.
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/">
<id>https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop</id>
<title type="text">MailTrafficTop</title>
<entry>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-29T00:00:00</d:Date>
<d:Name>userone@example.onmicrosoft.com</d:Name>
<d:Direction>Name</d:Direction>
<d:MessageCount m:type="Edm.Int32">55</d:MessageCount>
</m:properties>
</content>
</entry>
<entry>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-29T00:00:00</d:Date>
<d:Name>userone@example.onmicrosoft.com</d:Name>
<d:Direction>Outbound</d:Direction>
<d:MessageCount m:type="Edm.Int32">4</d:MessageCount>
</m:properties>
</content>
</entry>
</feed>
If you make the same request with the addition of summarizing by Direction, the request becomes the following.
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop?
$select=Date,Name,Direction,MessageCount&
$filter=AggregateBy%20eq%20'Day'%20and%20SummarizeBy%20eq%20'Direction'&
$format=Atom
The response for that same day then collapses, or summarizes the Direction field. In other words, it combines the counts for all entries that differ only in their Direction field value. The Direction element is returned as empty, indicating that the report entry combines counts for events, ignoring differences in Direction values.
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/">
<id>https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop</id>
<title type="text">MailTrafficTop</title>
<entry>
<content type="application/xml">
<m:properties>
<d:Direction>Inbound</d:Direction>
<d:Date m:type="Edm.DateTime">2013-01-29T00:00:00</d:Date>
<d:Name>userone@example.onmicrosoft.com</d:Name>
<d:Direction>
</d:Direction>
<d:MessageCount m:type="Edm.Int32">59</d:MessageCount>
</m:properties>
</content>
</entry>
</feed>
Examples
The following example shows how to retrieve information about the top three user accounts that received the most email on February 6, 2013, in Atom format. Line breaks were added to both the request and response for clarity.
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop?
$select=Name,Date,Direction,MessageCount&
$filter=AggregateBy%20eq%20'Day'%20and%20
StartDate%20eq%20datetime'2013-02-06T00:00:00Z'%20and%20
EndDate%20eq%20datetime'2013-02-07T00:00:00Z'%20and%20
Direction%20eq%20'Inbound'&
$orderby=MessageCount&
$top=3&
$format=Atom
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/"
xmlns="http://www.w3.org/2005/Atom"
xmlns:d="https://schemas.microsoft.com/ado/2007/08/dataservices"
xmlns:m="https://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<id>https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficTop</id>
<title type="text">MailTrafficTop</title>
<updated>2013-02-09T16:19:53Z</updated>
<link rel="self" title="MailTrafficTop" href="MailTrafficTop" />
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(0)</id>
<category term="TenantReporting.MailTrafficTopReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailTrafficTopReport" href="MailTrafficTop(0)" />
<title />
<updated>2013-02-09T16:19:53Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-02-06T00:00:00</d:Date>
<d:Name>userone@example.onmicrosoft.com</d:Name>
<d:Direction>Inbound</d:Direction>
<d:MessageCount m:type="Edm.Int32">1</d:MessageCount>
</m:properties>
</content>
</entry>
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(1)</id>
<category term="TenantReporting.MailTrafficTopReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailTrafficTopReport" href="MailTrafficTop(1)" />
<title />
<updated>2013-02-09T16:19:53Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-02-06T00:00:00</d:Date>
<d:Name>usertwo@example.onmicrosoft.com</d:Name>
<d:Direction>Inbound</d:Direction>
<d:MessageCount m:type="Edm.Int32">71</d:MessageCount>
</m:properties>
</content>
</entry>
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(2)</id>
<category term="TenantReporting.MailTrafficTopReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailTrafficTopReport" href="MailTrafficTop(2)" />
<title />
<updated>2013-02-09T16:19:53Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-02-06T00:00:00</d:Date>
<d:Name>userthree@example.onmicrosoft.com</d:Name>
<d:Direction>Inbound</d:Direction>
<d:MessageCount m:type="Edm.Int32">6</d:MessageCount>
</m:properties>
</content>
</entry>
</feed>
The following shows the same reporting results in JSON format.
{
"d":
[
{
"__metadata":
{
"id":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(0)",
"uri":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(0)",
"type":"TenantReporting.MailTrafficTopReport"
},
"Date":"\/Date(1360108800000)\/",
"Name":"useone@example.onmicrosoft.com",
"Direction":"Inbound",
"MessageCount":1
},
{
"__metadata":
{
"id":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(1)",
"uri":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(1)",
"type":"TenantReporting.MailTrafficTopReport"
},
"Date":"\/Date(1360108800000)\/",
"Name":"usetwo@example.onmicrosoft.com",
"Direction":"Inbound",
"MessageCount":71
},
{
"__metadata":
{
"id":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(2)",
"uri":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailTrafficTop(2)",
"type":"TenantReporting.MailTrafficTopReport"
},
"Date":"\/Date(1360108800000)\/",
"Name":"usethree@example.onmicrosoft.com",
"Direction":"Inbound",
"MessageCount":6
}
]
}
Input parameters and report output columns
The [In/Out] indicators in the fields table have the following meanings:
Fields marked [In] in the fields table are primarily intended for use in $filter=, $orderby=, and other query options that restrict which entries the report returns. Fields marked [In] in the fields table can be included in the $select= option, and they will appear in the report entries, but they will contain no useful data.
Fields marked [In/Out] in the fields table can be used in both the column selection ($select=) and entry restriction ($filter= and $orderby=) options. When you include one of these fields in the $select= option, it will appear in the report entries, and will contain useful data when it is available.
Compatibility
The MailTrafficTop report was introduced in Office 365 service version 2013-V1. For more information on versioning, see Versioning in the Office 365 Reporting web service.
Corresponding Windows PowerShell cmdlets
The MailTrafficTop report returns the same information as the Get-MailTrafficTopReport Windows PowerShell cmdlet.
Permissions
The account you use to access the reports must have administrative permissions in the Office 365 organization. If the account can view this report in the Office 365 Control Panel, then the account has permissions to retrieve the data from the REST web service. This report requires the user to be assigned to the View-Only Recipients role. In the default Office 365 permissions structure, users with the following administrator permissions can access this report: billing administrator, global administrator, password administrator, service administrator, and user management administrator.
Data granularity, persistence, and availability
Information available in this report is stored with the exact date and time for each event. You can use any feasible time period and duration by including the StartDate and EndDate fields in the $filter option. Times are reported in the time zone of the server scanning the email. This report calculates message counts over hours or days, depending on the AggregateBy field.
The information for this report is available for a period of 14 days, or until the subscription is canceled.
Events may be delayed by up to 24 hours before they appear in a report.