The Investigation Tool in Google Workspace allows admins to search logs, review data, and take direct action based on their findings. This article provides an overview of building searches, managing results, and performing key actions, helping you maintain control over your environment. You will learn how to search across multiple data sources, filter results, and take immediate action to protect your domain.
Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.
Building a Search in the Investigation Tool
To start building a search:
- Choose a data source – Select the log you want to search, such as Gmail, Drive, User, or Device logs.
- Define your conditions – Set filters to narrow your search, such as date range, event type, or specific users.
- Organize your results – Optionally, group results by certain fields or click on a specific data item to pivot your search.
- Take action or export findings – Once your results are displayed, you can take direct actions within the tool or export the data to Google Sheets for further analysis.
Note: You must select one or more search result rows for the "Actions" menu to appear, enabling you to choose the appropriate actions based on the search results.
Document Version | Date | Description of Change |
1.0 | 9/10/2024 | Rewrote, reverify |