This feature is available with Cloud Identity Premium edition. Compare editions
Search results in the investigation tool are displayed in a table at the bottom of the search card. The details in these search results depend on the criteria that you used for your search. For details about the available search criteria, see Customize searches within the investigation tool.
Manage the display of columns in the search results
In the top-right corner of the search-results table, click the Manage columns icon to customize how the columns are displayed in the search results. In the Manage columns window, you can remove columns, add new columns, or drag and drop columns to different locations to reorganize the display of the search results.
Export search results to a Sheets file in your My Drive folder
To save search results to your My Drive folder, click the Export all icon at the top of the table.
View exported search results
Note the following when viewing exported search results:
- After you click the Export all icon at at the top of the table, a Google Sheet is created in your My Drive folder that includes the search results. Depending on the size of the results, the export process could take some time, and multiple Google Sheets might be created. The total results of the export are limited to 30 million rows (except for Gmail message searches, which are limited to 1.25 million rows).
- While the export is in-progress, Google Sheets are created with a temporary name—for example, TMP-1-<title>. If multiple Google Sheets are created, additional files are named TMP-2-<title>, TMP-3-<title>, and so on. When the export process is completed, the files are automatically renamed to: <title> [1 of N], <title> [2 of N], and so on. If only one Google Sheet contains the exported data, the file is renamed to <title>.
- Sharing permissions for files with the exported search results are per your domain configuration. For example, if by default the files created will be shared with everyone in the company, then the exported data will also have this visibility.
Events from the Gmail log data source have a freshness latency of up to 60 minutes. This means search results may not include Gmail events that are less than 60 minutes old.
For Drive log events, Device log events, and User log events, the freshness latency is 80 minutes.
For searches on devices, it may take up to 3 days for new data to be reflected in all search results. For searches on users, it may take up to 36 hours.
Data retention for Gmail and Drive log data
Gmail log data is retained for 30 days. Drive log data is retained for 6 months.
Admin audit log
Administrator queries and actions in the investigation tool can be reviewed in the Admin audit log.
In the Admin audit log, you can view the types of queries that admins conducted and also see details about which filters were used. For actions, you can click a link in the Admin audit log to directly view the results within the investigation tool.