How to Find the Number of Emails Each User Sent and Received in a 24 Hour Period

Using the G Suite Admin Console or Google Vault it’s a difficult task for a super admin to find all of the emails sent or received by the entire organization or sub-group of users in a clear and readable way. That’s why the Email auditing in GAT+ is so important. For any filter you create, you can see who was involved with sending or receiving of those emails.

From the GAT+ side-menu go to the email audit section.

While in the first tab.

Click on the ‘Apply custom filters’ button.

Add the dates to capture the previous 24 hour period.

In the search definition area, the following search parameters were applied.

Sent date after or equal MM/DD/YYYY HH:MM


Received date before or equal MM/DD/YYYY HH:MM

Once you have selected the look-back period, apply the filter. In the above example, we looked back one day, you can have your custom look back cover a date range you need to audit.

Now when the filter is applied, click on the ‘Sender/Receiver’ tab, the filter will be carried over to this area!

The first table will show you the number of emails sent from your domain’s users.

The second table shows the number of emails each local user received (including, cc’s and bcc’s).

The third table shows you all of the external senders and the number of emails they sent in the last 24 hours.

The fourth and last table will show you the external receivers and how many emails they received in the last 24 hours.

You can export each table to see further details.

How to Find All Emails for a Gmail User

When GAT+ is installed, our system begins to index all of the emails in every account covering a period of 28 days (4 weeks) prior to the install date. This helps us build up some statistics so you can view recent trends. We then index every email going forward indefinitely.

In cases where you need to search for emails older than 28 days from the date of GAT+ install you can use the real-time search called Gmail Search in GAT+.

Search the entirety of any users mailbox for any set of emails, from any time period, as long as the email is still there (not permanently deleted by the user).

You can exclude “chats” if you use “in:anywhere -in:chats” if you wish to narrow down the search to a specific period use the following search operators after:YYYY/MM/DD and/or before:YYYY/MM/DD. Alternatively, you can use older_than:5d or newer_than:30d.

So the full search term might look like this “in:anywhere -in:chats after:2019/03/01 before:2019/03/31 is:read”. View the full list of search operators available.

The search may take quite some time especially if you’re dealing with thousands of emails.

When the Start Search button is pressed, this will redirect you to the Recent tab. In this tab, you will see the status of all your email searches.

After the search completes, you can select the green check mark and all emails for this user will be displayed.

Once the results are shown, you can add and build new filters on the top of the current search. To find specific emails or examine the totality of that user’s activity.

To add additional filters on top of this real-time search, click on the Apply custom filter button.

One example of using the Apply custom filters in Gmail Search is to narrow down the above search to find only emails with more than 2 email attachments.

You can always return to Gmail Searches you had previously done and remove them from the listing.

In conclusion, Gmail Search provides a powerful alternative to scan based searches but may be slower as the email metadata is not already indexed. If your email audit does not require up to the minute information I would recommend sticking with scan based searches within the Emails tab.

Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.


First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to the Drive audit in GAT+. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).


The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).


However, we can refine this further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

Out of Hours Email Activity Reporting with GAT+

In France, the legal length of the working week is 35 hours in all types of companies with more than 50 employees. The working day may not exceed 10 hours. Furthermore, employees may not work for more than 4.5 hours without a break. The maximum working day may be extended to 12 hours under a collective agreement.

If you wish to enforce this policy throughout your organization you can utilize GAT Shield. Let’s presume you already know about Shield and utilize it within your organization.

You have the ability as a super admin to enforce the French working hours after getting proper approval from your management team.

Navigate to the Configuration area of GAT Shield. In the Login Control section.

Now, I will create a time frame window outside of this time frame users on my domain won’t be allowed to log into their G Suite account to check emails or other cloud services.

The below example covers 9AM to 7PM.

Login time window (from): 0 0 9 1/1 * ? *

Login time window (to): 0 0 19 1/1 * ? *

This means my employees can log in and do their work from 9AM to 7PM after which they will be blocked.

If you don’t wish to block entry into the account when users are out of hour you can report on your employee’s activities using GAT Shield User Activity section. This will show you when a user was active and what sites they went to throughout a given day.

Less is More: Email Audit

How to see the tree from the woods.

Sometimes we can be overwhelmed with search results and where we have a lot of information coming at us we sometimes want to turn down the noise a little.

In our domain, we get a lot of email from one particular source. We have a domain called that we use to relay certain events.  For example, we have a series of internal cameras at sensitive doors in the building. These record to a NAS system, but to be sure we also turn some of the images into email and email them to a google account. These all come from the account  As you can imagine this generates quite a bit of noise. When we’re auditing email we like to eliminate this noise.

First, we search for email from ‘’

GAT 'negate filter' button

Then we hit ‘Negate Filter’ to remove these 15,000+ emails from the results.


This really starts to become useful when combined with another filter.

For example, if we want to see all the email with attachments, we ‘clear filter’, select the attachments box and hit ‘Search Emails’

Unfortunately, this returns all emails with attachments, including the thousands of alerts from

What we can do is go to the tab ‘Recent Filters’ and combine searches, all email ‘With Attachments’ and all email ‘not from[]’

You can see we select the two filters we want, join them with ‘AND’ and hit ‘Show’.

This returns a much smaller subset of all emails with attachments, except those from ‘alerts’.

If we add dates to this search, we get an example like in line 1. (picture at top of page), which is getting all the email we want from the 30th of Jan, 2013.

We can then schedule this for 5 past midnight on the 31st of Jan.

Assuming we are on the 30th of January, this will generate a report that will run everyday showing us all the email that comes or goes the day before, with files attached, excluding all those thousands of emails from the alerting system.

How to Debug Email Routing Problems

GAT+ Lets Admins see the filters Users have in place. Useful for debugging email routing problems. Users audit, Emails, click on the filters count for the User of interest to see what the underlying filters are.

GAT Gmail filter


Understanding Group Activity email and file sharing

Some recent questions raise the interesting problem of how do we measure email activity at group level (and group activity in general).

Groups inside Google are phenomenally interesting and at GAT we spend quite a bit of time thinking about them. At a simple level, a group can act as an email alias for a function, ‘’.  A group can also form a platform for email collaboration, ‘’. It can also form the basis of a mini-community, ‘’, where the group name can be used as the basis for sharing documents, emails, access rights, etc.

In reality, any group once established, tends to function to varying degrees in all three roles inside the organization. In addition, you have the situation that members of one group are often members of other groups. Looking at the output of the members, you can never tell if the mail is group related.

However, with GAT+Email you can see some important details

1) How busy, in general, members of that group have been.

Under the ‘Users’ audit, select the email tab, the search for the group you are interested in, then, clicking on ‘show graph’ you can see the detailed internal and external email loads for members of that group.

Understanding Group Activity email and file sharing


2) The amount of email sent specifically to any Group (where the group is viewed as a collection of members), which domain and which user it came from (internal or external).

Here we use GAT+Email and select the email audit. Once in the email audit we search for the group we are interested in. This can be done two ways, firstly we can just reference the Group and this will return all emails for which members of the group were involved

Or we can make the group address the subject of a specific search, (the results show only the email sent specifically to the group address).

Here we can see in the table everyone inside and outside the organization involved in sending email to that group address and the volume of email involved. Domain or individual can be turned on or off to see the values for each category more clearly.

In addition, you can search for all the emails sent ‘from’ a particular group address and then using the ‘Recent Filters’ tab combine the two searches to produce a combined set of results. Again these can be examined in the Sender/Receiver table.

A really powerful exercise is to limit the searches to a date range, then look at the ‘Domain Connections’ table for the results. At the top of the table select ‘Show communication graph’.

See this post. The graph shows newest relationships on the right, oldest on the left. Domains sending to us on the top, domains we send to on the bottom. In between have emails in both directions, depending on the balance.

3) To what degree that group is directly involved in document sharing and collaboration

In this case, we go to the ‘Group’ audit on the homepage.

In this audit we can search for a group of interest and from there we can see details like the total of the overall percentage of docs created by members of this group, the percentage of shared in documents shared to its members and the percentage of shared out docs, shared out by its members.

In addition, you can see details like the number of group documents (those shared), the number shared explicitly to the group address and the numbers shared by members of the group to one another. This helps you understand if the Group is being used for Collaboration.


Understanding and Measuring Internal Email Communications

GAT supports two ways to measure and understand internal email communications. The first method is through the ‘Users Audit’.

Select the ‘Users Audit’ from the GAT homepage, and from the range of audit areas, select the ‘Emails’ tab (1).  This shows the last 30 days of email activity, both internal and external.

By default, this will show all the users on the domain. As this might be a large number of users you might like to focus on an individual or a group. You can enter an individual or a group name at (2). You can also select an Organization Unit (3).

The email volumes for each user is laid out in 8 columns. The first 4 are for external volumes and the last 4 are for internal volumes. The columns show the following

No. of email sent

No. of emails sent with files attached

No. of emails received

No. of emails received with files attached

For internal emails look to the second set of 4 columns (5).

Clicking on any number in blue shows you the email metadata that is behind the figure. You can see the ‘from’, ‘to’, ‘cc’ etc.

If you wish to see the volumes for each day of the last 30 days, select ‘Show daily stats’ (6).

All columns are sortable.

They say a picture is worth a thousand words, so for the big picture select the ‘Business Intelligence’ section from the GAT homepage.

From there select ‘Internal/External Collaboration’.

Then select a look back period of the last 4 weeks.

Select ‘Show Graph’.

Wait for the graph to draw. This will take about 30 seconds.

When the graph has drawn select the following choices. Under ‘View’ select ‘Emails’ and in the Filters section, select ‘Dampen external collaboration’

What you are left with on the graph is a map of the actual internal email activity for ‘replied to’ email over the last four weeks.

If you want to see the numerical values behind the pairs of email relationships, select ‘Pairs’. You can sort to the top pairs to the top.

You can even explore the activity between any two individuals, any two groups, any two OU’s or any combination of the above.

Finally, if you want to understand more about this suite of tools and how you can make them work for you, you can read here.


The two methods are actually slightly different in terms of what they measure. Under the ‘Users Audit’ absolute volumes of emails are being measured. Every email sent and every email received is counted and tabulated. Under the ‘Business Intelligence’ graph, the measurement only reflects ‘replied to’ emails. Emails not replied to or ignored are not counted for use in this graph as they are not considered to form part of a collaborative effort. The purpose of the Collaboration graph is to show collaboration activity.

Visualizing specific G Suite relationships or workloads

Specific Use Case

Specific use cases for these features include decommissioning users, analysing relationships, understanding the state of a business relationship with a specific company, identifying contacts with a specific company, assessing workload and many other important Business Intelligence tasks.

Read more

What is collaboration in G Suite?

What is collaboration?

Google, rightly, talks a lot about the importance of collaboration and about how G Suite enables and enhances the collaborative experience in the workplace.

We have thought hard about what collaboration might be and how we could measure it in the Google environment. Sharing a document with someone is not collaboration, it is a connection. Only when that document is read or edited does it become collaboration. Likewise firing emails off at targets is not necessarily collaborating with them, only when replies come and threads are built up do we start to collaborate. In all, Google currently gives us three areas where we can, with reasonable accuracy measure collaboration, these are documents, emails and calendar appointments.

From this data, you can estimate how each individual is collaborating (at least inside G Suite) with everyone else. However, for organizations, it can be even more interesting to understand how teams are performing and how strong the collaborative performance is over a period of time (by default we look at the last 6 weeks)

Group Analyses

As mentioned a collaboration score for an individual is useful to know, but in fact from a G Suite perspective the collaboration inside a group is something that is really interesting. Google groups are core to how we split up our workforce. Groups can cross OU boundaries and can often represent teams.

Groups collaboration needs to be measured along three axes, volume, degree and time.

Volume represents the amount of collaboration between the members of a group.

Degree represents the number of members each individual member collaborates with.

Time represents the period over which collaboration happens.

GAT, because of its highly accurate auditing can measure not just connections, but collaboration for not only docs, but also for emails and calendars. In addition it can do this over a period of time and because it understands Google groups, it can calculate both the volume and degree for each group.

Group analyses presents this information to you.

In a simple, yet powerful table, GAT pulls out every Google group on your domain (presents groups of 5 or more members by default but you can select smaller), looks at the internal behaviour of every member of each group over the the last 6 weeks (you can set your own time window) and then lets you rank the groups by highest average volume and/or degree of collaboration. In one click you can see which groups are working for you as collaborating groups and which you need to look at more closely to see if that group is still useful.

To explore a group in detail, just click on the group name. You will see the group is expanded to show you the individual detail behind the collected averages. This can be very useful to help identify the top collaborators in a group.

Using this data you can start to correlate other performance indicators with collaboration. You can now start to ask and answer questions like ‘do collaborating sales teams close more deals?’, ‘do collaborating support teams have higher customer satisfaction scores?’. It will also allow you to identify unnecessary groups, perhaps allowing for them to be formally wound up, allowing for the better use of resources.

Using some carefully chosen mathematics (to accommodate the fact that degree is upper bounded by group size) we blend both collaboration event and degree to give you a single unique ranking system taking into account both Volume and Degree. This will allow you to sift the highest collaborating groups to the top in a single sort.

Only with G Suite and GAT+ is this sort of analyses now possible.