Forum Discussion

Pontus T's avatar
Pontus T
Iron Contributor
Apr 27, 2017
Solved

Help with parameter for Search-UnifiedAuditLog

Hi,   Disclaimer: I am new to PowerShell, hence why I turn here for your input.   Background: I'm creating a Power BI dashboard based on data exported from the O365 Audit Log. For the moment, I'...
Search-UnifiedAuditLog
  • Pontus T's avatar
    Pontus T
    Apr 28, 2017

    NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.

Pontus T's avatar
Pontus T
Iron Contributor
Apr 28, 2017

NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.

Wilfred1337's avatar
Wilfred1337
Copper Contributor
May 01, 2024

Pontus T 

Here is my approach to solve this problem, I had something alike and wanted to share it with you, there was a lot of chatter on one specific parameter rendering the 5000 limit useless, within the 24 hours that is, so I created a 4 hour iteration ignoring the bogus parameter, hopes it helps  you.

 

    # ignore command "set-whatever" over 1000 hits every x hours
    
    $global:day = (Get-Date)
    # set start date at midnight
$hours = $global:day.TimeOfDay.TotalMinutes
$startdate = $global:day.AddMinutes(- $hours)
    # set end date at midnight
    $enddate = $startdate.AddHours(24)
    #
    $logsearch=@()
    # iterate every x hours ignoring bogus operation
    $increment=4
    for($i=0; $i -le (24-$increment); $i=$i+$increment) { $i 
 
        $logsearch += Search-UnifiedAuditLog -StartDate $startdate.AddHours($i) -EndDate $startdate.AddHours(4+$i) -RecordType <searchtype> -SessionCommand ReturnLargeSet -resultsize 5000|? Operations -NotMatch "set-whatever"
    }
    # 

you could add a group of operation restrictions by using "-in" operator if you have a bunch.
#

Resources