Forum Discussion
Searching Audit log Strange Behavior
- Just thought I would give you an update on the response I got back from Microsoft Support.
"When the ResultCount is 0 or ResultIndex is -1, the search faced internal timeout.
Please ignore the results returned when the internal timeout occurs, and (wait 5 minutes then) try search again."
Pretty generic response but oh well.
swhitestrath I've noted some issues with audit log retrieval recently too. Best idea is to log a support incident. If you don't, no engineer will ever look to figure out what's going wrong.
TonyRedmond I have opened a ticket with Microsoft, will update if they come back with anything. In the mean time I have just updated my code to check for this -1 ResultIndex and if it detects it, it waits 2 mins and tries the command again.
swhitestrath Just to be sure I understand, you see -1 returned in the search results as in $currentresults[0].resultindex?
This makes sense because ResultIndex tracks the position of the search in terms of retrieved results... So -1 gives you an indication that the search results returned aren't good.
Question: When you resume, does ResultIndex recommence at the right value? For instance, let's assume that you have retrieved 3000 records so far, the first record returned by the next successful call should have a value of 3001 in ResultIndex. Is that what you see?
TonyRedmond I just reset everything and try again so the index returns to 1. The second time is usually successful.
if($currentResults[0].ResultIndex -eq "-1" -or $currentResults -eq $null){ $sessionName = (get-date -Format 'u')+'streamauditlog'+ $i $aggregateResults =@() if($currentResults[0].ResultIndex -eq "-1"){ $logmsg = "-1 Index Found Loop Restarted" } if($currentResults -eq $null){ $logmsg = "No Results returned, retrying..." } $errorCount++ LogToFile -EntryType "ERROR" -Message $logmsg -Logfile $lgfile Start-Sleep -s 120 continue }