Forum Discussion
Missing day(s) from Search-AdminAuditLog and Search-UnifiedAuditLog Results
Hey Everyone!
We've noticed that when running the Search-AdminAuditLog or Search-UnifiedAuditLog cmdlets, the collection returned never has the current day, and sometimes is missing the prior day or parts of the prior day. We've investigated the following already:
Converted to UTC time
Ran the query from the UI to see if it differed from what PowerShell is returning- It was the same
Searched current documentation to see if this is a know bug or feature- Nothing found
Shortened our search from 90 days to 7 days, and then just the current day- Same results
Can anyone help clear up how to access this current reporting from PowerShell? We're putting a script together for email comp response and the current data is a must.
Thanks!
VasilMichev, this totally worked. Thank you so much! After roughly 14 man hours of working on this with various team members, we never even thought of this. Have a great day!
- Add one extra day to your end date if you want to cover events from today. For example:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date).AddDays(1) -ResultSize 1
will return the most recent event from today. Of course, keep in mind that log ingestion is not a real-time process and there are (quite noticeable) delays.- O365adjacentCopper Contributor
VasilMichev, this totally worked. Thank you so much! After roughly 14 man hours of working on this with various team members, we never even thought of this. Have a great day!