Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Jan 26, 2023
Solved

Search-UnifiedAuditLog limitation on number of results

Hi, I need to extract PowerBI audit logs in order to get some valuable information. So, I'm using Search-UnifiedAuditLog command, which according to the documentation could parse 50.000 records. B...
Windows PowerShell
  • VasilMichev's avatar
    VasilMichev
    Jan 27, 2023
    The variable is getting overwritten at every "page", so on each append, new results are added (usorted!) The cycle will run until the "last" page is returned, which should contain 0 entries, thus invalidating the condition.
    The example above works fine in my tenant, I fetched 30k+ records with it, with no duplication at least according to Excel 🙂
    The only thing I changed was to remove the RecordType, as I don't have that many events in my personal tenant.
dmarquesgn's avatar
dmarquesgn
Iron Contributor
Jan 26, 2023

VasilMichev 

Hi, thanks for the reply. I thought about that, but I'm missing something here. You mean something like this:

$StartDate = (Get-Date).AddDays(-90)
$EndDate = Get-Date
$AuditOutput = 1
while ($AuditOutput) {
    Write-Host "Searching for Power BI audit records..."
    $AuditOutput = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -SessionId "Test" -SessionCommand ReturnLargeSet -RecordType PowerBIAudit -ResultSize 5000
    $AuditOutput | Export-Csv -Path "C:\Temp\26-01-2023-PowerBI-AuditLog.csv" -NoTypeInformation -Append
}

The problem here is that this returns about 3000 lines on the CSV while the CSV I extracted from the Compliance portal has about 110k lines.

Can you understand what I'm missing here?

VasilMichev's avatar
VasilMichev
MVP
Jan 26, 2023
Try using do/while instead:

$AuditOutput = @()
do {
Write-Host "Searching for Power BI audit records..."
$AuditOutput = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -SessionId "Test" -SessionCommand ReturnLargeSet -RecordType PowerBIAudit -ResultSize 5000
$AuditOutput | Export-Csv -Path "C:\Temp\26-01-2023-PowerBI-AuditLog.csv" -NoTypeInformation -Append
} while ($AuditOutput)
  • dmarquesgn's avatar
    dmarquesgn
    Iron Contributor
    Jan 27, 2023

    VasilMichev 

    Hi,

    Just tried your code, but in fact it's creating the same records over and over again.

    When I stopped the process my csv had already 1Gb, and when I opened it there where dozens of similar records, so it's storing the same data over and over again.

    Shouldn't the $AuditOutput variable be cleared at some point? What it seems is that it's storing all the information that comes out from the "Search-UnifiedAuditLog" command.

    • VasilMichev's avatar
      VasilMichev
      MVP
      Jan 27, 2023
      The variable is getting overwritten at every "page", so on each append, new results are added (usorted!) The cycle will run until the "last" page is returned, which should contain 0 entries, thus invalidating the condition.
      The example above works fine in my tenant, I fetched 30k+ records with it, with no duplication at least according to Excel 🙂
      The only thing I changed was to remove the RecordType, as I don't have that many events in my personal tenant.
      • BohdanKovalchuk's avatar
        BohdanKovalchuk
        Copper Contributor
        Feb 05, 2025

        I have issues with it. This is my script. And it loads the same 5k data over and over again. Could you please confirm that this still working well on your side?

        I tried on ExchangeOnlineManagement versions 3.0.0, 3.3.0, 3.7.0. Result is the same

        $AuditOutput = @()
do {
Write-Host "Searching for Power BI audit records..."
$AuditOutput = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -SessionId "Test" -SessionCommand ReturnLargeSet -RecordType PowerBIAudit -ResultSize 5000
$AuditOutput | Export-Csv -Path "/home/bohdankov/AuditLog.csv" -NoTypeInformation -Append
} while ($AuditOutput)