Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Jan 26, 2023
Solved

Search-UnifiedAuditLog limitation on number of results

Hi,


I need to extract PowerBI audit logs in order to get some valuable information. So, I'm using Search-UnifiedAuditLog command, which according to the documentation could parse 50.000 records. But in fact using the switch "-SessionCommand ReturnLargeSet" still returns 100 records. If I use the switch "-ResultSize 5000" then I can get 5.000 records. But I've made that search on the compliance portal and I've got about 110k results.
So how can I get this 110k results via the Search-UnifiedAuditLog command? Anyone faced a similar issue?

 

Documentation link: https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps

 

Thanks

Windows PowerShell
  • VasilMichev's avatar
    VasilMichev
    Jan 27, 2023
    The variable is getting overwritten at every "page", so on each append, new results are added (usorted!) The cycle will run until the "last" page is returned, which should contain 0 entries, thus invalidating the condition.
    The example above works fine in my tenant, I fetched 30k+ records with it, with no duplication at least according to Excel πŸ™‚
    The only thing I changed was to remove the RecordType, as I don't have that many events in my personal tenant.

8 Replies

  • VasilMichev's avatar
    VasilMichev
    MVP
    Jan 26, 2023
    Third/Fourth example in the documentation article is what you need. You simply rerun the cmdlet, each time you get a new page (up to 5000 results), until you reach the end of result (i.e. you get empty output). Don't forget to set a sessionId and reuse it!
    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor
      Jan 26, 2023

      VasilMichev 

      Hi, thanks for the reply. I thought about that, but I'm missing something here. You mean something like this:

      $StartDate = (Get-Date).AddDays(-90)
$EndDate = Get-Date
$AuditOutput = 1
while ($AuditOutput) {
    Write-Host "Searching for Power BI audit records..."
    $AuditOutput = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -SessionId "Test" -SessionCommand ReturnLargeSet -RecordType PowerBIAudit -ResultSize 5000
    $AuditOutput | Export-Csv -Path "C:\Temp\26-01-2023-PowerBI-AuditLog.csv" -NoTypeInformation -Append
}

      The problem here is that this returns about 3000 lines on the CSV while the CSV I extracted from the Compliance portal has about 110k lines.

      Can you understand what I'm missing here?

      • VasilMichev's avatar
        VasilMichev
        MVP
        Jan 26, 2023
        Try using do/while instead:

        $AuditOutput = @()
        do {
        Write-Host "Searching for Power BI audit records..."
        $AuditOutput = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -SessionId "Test" -SessionCommand ReturnLargeSet -RecordType PowerBIAudit -ResultSize 5000
        $AuditOutput | Export-Csv -Path "C:\Temp\26-01-2023-PowerBI-AuditLog.csv" -NoTypeInformation -Append
        } while ($AuditOutput)