Need to deal with the 50k Item limit

[Canthv0]

Search-UnifiedAuditLog will only return 50k items. If the search gets back >50k items we have two issues:

1. How do we get all of the items back and not just the 50K
2. Right now the return gets stuck in a loop and will keep trying to get back the 50k

[davidrudduck]

Could you use something like the example script at this url (https://blogs.msdn.microsoft.com/tehnoonr/2018/01/26/retrieving-office-365-audit-data-using-powershell/) to pull down the Unified Audit Log in 15 minute chunks?

Or start with 60 minute chunks and if the query produces > 5,000 results reduce the time slice further to help optimise the pull.

I hacked at the above script and managed to pull down 1.2GB worth of Unified Audit Log for a tenancy before it finally crapped out.

[T0pCyber]

Does Robust Cloud Command help against this restriction?

[jonnybottles]

To more efficiently track and resolve this issue, we've opened a new ticket:

Ticket #153: Implement Logic to Handle Result Size and Item Limits in Scripts
This new ticket consolidates the discussions and focuses our efforts on implementing a robust solution. We will be closing Ticket #22 and Ticket #93 in favor of this new ticket.

Please feel free to follow the progress on Ticket #153 and contribute any additional feedback or suggestions there. Your input is invaluable in helping us improve Hawk.