Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.

Configure the Investigation Tool Settings

Before using the investigation tool, you'll want to configure the settings. Access the tool at Security > Security center > Investigation Tool, then click the cog wheel in the right-hand side toolbar to configure: 

• Time zone: You can change the time zone to ensure the time stamps are your local time.
• Require reviewer: Helpful when actions require manipulation of large data sets. When turned on, admins who attempt to take action on 300 items or more will have to specify a second admin to confirm the changes. Require reviewers for bulk actions
  • Bulk actions will show status messages: Awaiting approval, completed, or expired. The status also shows total attempted successes or failures. To view action status, click the Tasks icon (hourglass) in the upper right-hand side of the Admin console. Check the status of large tasks. 
  • Approve bulk actions: Click the email sent, it directs to the investigation tool. Click APPROVE (or REJECT). Respond within 72 hours to the email notification, or your action will expire.
  • Cancel bulk actions: Navigate to the bottom of the Investigation page and click CANCEL. Canceling actions in the investigation tool can result in partial results if a reviewer approves the bulk action and is in progress.
• Allow admins to view sensitive content in logs: For investigations you create, you can allow admins with the appropriate privilege to view email content. This content may include sensitive data including Personally Identifiable Information (PII). 
  • Require admins to enter justification for viewing sensitive content: This is an optional setting. When turned on, admins with appropriate privileges must enter a justification text before performing the action. It is commonly turned on for viewing email content.
• Enable action justification: When turned on, admins with appropriate privileges can enter justification text before performing actions. 

See, Configure settings for your investigations

Audit Log for Investigation Tool actions

The Audit Log includes the following information for Investigation tool queries and actions and bulk action reviews.

• Query performed
• Action performed
• Action completed
• Action cancelled