Searching and Taking Action

Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.

Build a search

To build out searches in the investigation tool:

  1. Start with a data source.
  2. Define your conditions.
  3. (Optional) Organize your results with group-by or click a data item to pivot to a new search.
  4. Take action directly within the tool or export your findings to Sheets.

Pro Tip: You can manage the columns to view critical information. Click the cog wheel in the investigation tool results and choose which columns to include.


Actions you can take

Below are actions you can take based on the data source you are querying. See more details here

  • Drive log events: Add/remove users, change owners, disable download/print/copy, audit file permissions
  • Gmail log events and Gmail messages: View header, view messages, delete messages, restore messages, mark message as spam, mark message as phishing, send message to inbox, send message to quarantine
  • User log events and users: Suspend user, restore user, delete user, reset password
  • Device log events and devices: Approve device, block device, admin account wipe device, remote wipe device, cancel remote wipe device

Note: You will need to select one or more search result rows for the ACTIONS menu to appear and allow you to choose what changes to make.


Document Version Date Description of Change


Articles in this section