Forum Discussion

O365adjacent's avatar
O365adjacent
Copper Contributor
Mar 20, 2024

Missing day(s) from Search-AdminAuditLog and Search-UnifiedAuditLog Results

Hey Everyone!

 

 

We've noticed that when running the Search-AdminAuditLog or Search-UnifiedAuditLog cmdlets, the collection returned never has the current day, and sometimes is missing the prior day or parts of the prior day. We've investigated the following already:

 

  • Converted to UTC time

  • Ran the query from the UI to see if it differed from what PowerShell is returning- It was the same

  • Searched current documentation to see if this is a know bug or feature- Nothing found

  • Shortened our search from 90 days to 7 days, and then just the current day- Same results

 

Can anyone help clear up how to access this current reporting from PowerShell? We're putting a script together for email comp response and the current data is a must.

 

Thanks!

  • VasilMichev, this totally worked. Thank you so much! After roughly 14 man hours of working on this with various team members, we never even thought of this. Have a great day!

     

  • Add one extra day to your end date if you want to cover events from today. For example:

    Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date).AddDays(1) -ResultSize 1

    will return the most recent event from today. Of course, keep in mind that log ingestion is not a real-time process and there are (quite noticeable) delays.
    • O365adjacent's avatar
      O365adjacent
      Copper Contributor

      VasilMichev, this totally worked. Thank you so much! After roughly 14 man hours of working on this with various team members, we never even thought of this. Have a great day!

       

Resources