SOLVED

Missing day(s) from Search-AdminAuditLog and Search-UnifiedAuditLog Results

Copper Contributor

Hey Everyone!

 

 

We've noticed that when running the Search-AdminAuditLog or Search-UnifiedAuditLog cmdlets, the collection returned never has the current day, and sometimes is missing the prior day or parts of the prior day. We've investigated the following already:

 

  • Converted to UTC time

  • Ran the query from the UI to see if it differed from what PowerShell is returning- It was the same

  • Searched current documentation to see if this is a know bug or feature- Nothing found

  • Shortened our search from 90 days to 7 days, and then just the current day- Same results

 

Can anyone help clear up how to access this current reporting from PowerShell? We're putting a script together for email comp response and the current data is a must.

 

Thanks!

2 Replies
Add one extra day to your end date if you want to cover events from today. For example:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date).AddDays(1) -ResultSize 1

will return the most recent event from today. Of course, keep in mind that log ingestion is not a real-time process and there are (quite noticeable) delays.
best response confirmed by O365adjacent (Copper Contributor)
Solution

@Vasil Michev, this totally worked. Thank you so much! After roughly 14 man hours of working on this with various team members, we never even thought of this. Have a great day!

 

1 best response

Accepted Solutions
best response confirmed by O365adjacent (Copper Contributor)
Solution

@Vasil Michev, this totally worked. Thank you so much! After roughly 14 man hours of working on this with various team members, we never even thought of this. Have a great day!

 

View solution in original post