Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Jan 26, 2023
Solved

Search-UnifiedAuditLog limitation on number of results

Hi, I need to extract PowerBI audit logs in order to get some valuable information. So, I'm using Search-UnifiedAuditLog command, which according to the documentation could parse 50.000 records. B...
Windows PowerShell
  • VasilMichev's avatar
    VasilMichev
    Jan 27, 2023
    The variable is getting overwritten at every "page", so on each append, new results are added (usorted!) The cycle will run until the "last" page is returned, which should contain 0 entries, thus invalidating the condition.
    The example above works fine in my tenant, I fetched 30k+ records with it, with no duplication at least according to Excel 🙂
    The only thing I changed was to remove the RecordType, as I don't have that many events in my personal tenant.
VasilMichev's avatar
VasilMichev
MVP
Jan 26, 2023
Third/Fourth example in the documentation article is what you need. You simply rerun the cmdlet, each time you get a new page (up to 5000 results), until you reach the end of result (i.e. you get empty output). Don't forget to set a sessionId and reuse it!
dmarquesgn's avatar
dmarquesgn
Iron Contributor
Jan 26, 2023

VasilMichev 

Hi, thanks for the reply. I thought about that, but I'm missing something here. You mean something like this:

$StartDate = (Get-Date).AddDays(-90)
$EndDate = Get-Date
$AuditOutput = 1
while ($AuditOutput) {
    Write-Host "Searching for Power BI audit records..."
    $AuditOutput = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -SessionId "Test" -SessionCommand ReturnLargeSet -RecordType PowerBIAudit -ResultSize 5000
    $AuditOutput | Export-Csv -Path "C:\Temp\26-01-2023-PowerBI-AuditLog.csv" -NoTypeInformation -Append
}

The problem here is that this returns about 3000 lines on the CSV while the CSV I extracted from the Compliance portal has about 110k lines.

Can you understand what I'm missing here?

  • VasilMichev's avatar
    VasilMichev
    MVP
    Jan 26, 2023
    Try using do/while instead:

    $AuditOutput = @()
    do {
    Write-Host "Searching for Power BI audit records..."
    $AuditOutput = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -SessionId "Test" -SessionCommand ReturnLargeSet -RecordType PowerBIAudit -ResultSize 5000
    $AuditOutput | Export-Csv -Path "C:\Temp\26-01-2023-PowerBI-AuditLog.csv" -NoTypeInformation -Append
    } while ($AuditOutput)
    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor
      Jan 27, 2023

      VasilMichev 

      Hi,

      Just tried your code, but in fact it's creating the same records over and over again.

      When I stopped the process my csv had already 1Gb, and when I opened it there where dozens of similar records, so it's storing the same data over and over again.

      Shouldn't the $AuditOutput variable be cleared at some point? What it seems is that it's storing all the information that comes out from the "Search-UnifiedAuditLog" command.

      • VasilMichev's avatar
        VasilMichev
        MVP
        Jan 27, 2023
        The variable is getting overwritten at every "page", so on each append, new results are added (usorted!) The cycle will run until the "last" page is returned, which should contain 0 entries, thus invalidating the condition.
        The example above works fine in my tenant, I fetched 30k+ records with it, with no duplication at least according to Excel 🙂
        The only thing I changed was to remove the RecordType, as I don't have that many events in my personal tenant.