Forum Discussion
Searching Audit log Strange Behavior
Back in October, I created a script that dumps Daily Microsoft Stream Audit data into CSVs so that PowerBI Reports can be created. It was working fine until the 16th of December and now seems to be very inconsistently returning 1000s of duplicate records with a ResultIndex of -1. A correct return of data usually returns a ResultIndex going from 1 to however many records. Does anyone know why this may be occurring?
Do {
try{
$currentResults = Search-UnifiedAuditLog -StartDate $startDate -EndDate $enddate -SessionId $sessionName -SessionCommand ReturnLargeSet -ResultSize 1000 -RecordType MicrosoftStream -Operations StreamCreateVideo,StreamEditVideo,StreamDeleteVideo,StreamInvokeVideoUpload,StreamInvokeVideoDownload,StreamEditVideoPermissions,StreamInvokeVideoView,StreamInvokeVideoShare,StreamInvokeVideoLike,StreamInvokeVideoUnLike,StreamCreateVideoComment,StreamDeleteVideoComment,StreamInvokeVideoTextTrackUpload,StreamInvokeVideoThumbnailUpload,StreamDeleteVideoThumbnail,StreamInvokeVideoMakePublic,StreamInvokeVideoMakePrivate,StreamCreateGroup,StreamEditGroup,StreamDeleteGroup,StreamEditGroupMemberships,StreamCreateChannel,StreamEditChannel,StreamDeleteChannel
}catch [System.Exception] {
$errorCount++
$ErrorMessage = " Error: " + $_.Exception.Message
$logmsg = $ErrorMessage
Write-Output $logmsg
LogToFile -EntryType "ERROR" -Message $logmsg -Logfile $lgfile
}
if ($currentResults.Count -gt 0) {
$logmsg = (" Finished search #{1}, {2} records: {0} min" -f [math]::Round((New-TimeSpan -Start $scriptStart).TotalMinutes,4), $i, $currentResults.Count )
Write-Output $logmsg
LogToFile -EntryType "INFORMATION" -Message $logmsg -Logfile $lgfile
# Accumulate the data
$aggregateResults += $currentResults #Adds 1000 records at a time
# if the results are below 1000 then its time to stop the loop
if ($currentResults.Count -lt 1000) {
$currentResults = @()
} else {
$i++
}
}
} Until ($currentResults.Count -eq 0) # --- End of Session Search Loop --- #
- Just thought I would give you an update on the response I got back from Microsoft Support.
"When the ResultCount is 0 or ResultIndex is -1, the search faced internal timeout.
Please ignore the results returned when the internal timeout occurs, and (wait 5 minutes then) try search again."
Pretty generic response but oh well.
12 Replies
swhitestrath I've noted some issues with audit log retrieval recently too. Best idea is to log a support incident. If you don't, no engineer will ever look to figure out what's going wrong.
TonyRedmond I have opened a ticket with Microsoft, will update if they come back with anything. In the mean time I have just updated my code to check for this -1 ResultIndex and if it detects it, it waits 2 mins and tries the command again.
swhitestrath Just to be sure I understand, you see -1 returned in the search results as in $currentresults[0].resultindex?
This makes sense because ResultIndex tracks the position of the search in terms of retrieved results... So -1 gives you an indication that the search results returned aren't good.
Question: When you resume, does ResultIndex recommence at the right value? For instance, let's assume that you have retrieved 3000 records so far, the first record returned by the next successful call should have a value of 3001 in ResultIndex. Is that what you see?
