25,081 questions
Let's say that $A literal representation is:
Metadata Name
-------- ----
@{Height=6} Alfredo
All has been parsed, you can access Height this way:
$A.Metadata.Height
Search-UnifiedAuditLog ConvertFrom-Json AuditData nested data
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 62%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Mali Stane
91
Reputation points
HI,
I’m searching O365 UnifiedAuditLog fro specific event. Problem is hat there is nested object and when doing conversion from Jason not all data is parsed.
AuditData : {"CreationTime":"2020-09-07T11:34:11","Id":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","Operation":"FolderBind","OrganizationId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx","RecordType":2,"ResultStatus":"Succeeded","UserKey":"1003200047779776","UserType":0,"Version":1,"Workload":"Exchange","ClientIP":"2603:xxxx:xxxx:xx:xxxx::81","UserId":"@doamin.com","AppId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx","ClientAppId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx","ClientIPAddress":"2603:xxxx:xxxx:xx:xxxx::81","ClientInfoString":"Client=REST;Client=RESTSystem;;","ExternalAccess":false,"InternalLogonType":2,"LogonType":2,"LogonUserSid":"S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx","MailboxGuid":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","MailboxOwnerSid":"S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx","MailboxOwnerUPN":"@doamin.com","Organizat ":"domain.onmicrosoft.com","OriginatingServer":"VI1P195MBXXXX (15.20.3348.019)\u000d\u000a","Item":{"Id":"YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY","ParentFolder":{"Id":"YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY","Path":"\Send"}}}
Problem start with Item":{".
Data that is returned Item : @{Id=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY; ParentFolder=}
Is there any easy solution for this. I would like to pars output to CSV
Br,
Stane
Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator2020-09-28T21:45:06.383+00:00
2 additional answers
Sort by: Most helpful
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
2020-09-10T21:51:21.737+00:00 All data should be parsed @{Propety=Value...} is just the literal representation of the deserialized PScustomObject.
--
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator2020-09-25T23:24:01.563+00:00 @Mali Stane
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?----------
If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.
Sign in to comment -
-
Mali Stane 91 Reputation points
2020-09-26T06:53:45.96+00:00 Hi alfredo-revilla-msft,
Can you help me, with sample : @{Propety=Value...}I have done a workaround for event FolderBind. Because after “,"Item":” array, i get / we have two different parameter listed based on if this is client access or restapi access “like” Search.
But thank you that you take a time to answer. I miss TechNet forum…