Forum Discussion
RewidyBala
Jul 04, 2023Copper Contributor
Search-UnifiedAuditlog cmdlet returns partial audit results.
Hi,
My tenant have around more than 20000 audit log for user sign-in but when I run the
Search-UnifiedAuditLog cmdlet with resultSize 5000 only 630 results were returned. We have been facing this behaviour for the past few days. Due to that we were unable to audit the user sign-in.
Example:
Trying to collect unified logs with sorted order which returns incorrect results. But the unsorted order throws the correct data.
From the below example I am trying to collect data from 2nd july to 4th july.
Direct Cmdlet result
Cmdlet results with SessionCommand Property
To start, when using SessionCommand, use SessionId with a unique label for your query.
Examples at https://learn.microsoft.com/office/office-365-management-api/aip-unified-audit-logs-best-practices