Using Search Properties and Operators with eDiscovery
Using Search Properties and Operators with eDiscovery
I am back with some more information about eDiscovery search with Exchange, SharePoint and Lync. This time learn about search properties and operators. Before we start, here are some related useful resources.
Overview of Microsoft Office eDiscovery with Exchange, SharePoint, and Lync 2013
Searching and Using Keywords in eDiscovery
Keyword Query Language Syntax Reference
Overview of crawled and managed properties in SharePoint Server 2013
Message properties and search operators for In-Place eDiscovery
Using Keyword Search Syntax and eDiscovery – my previous blog post on this topic
Properties
- Properties and free text keywords cannot be combined into a single query unless you use quotes for the property value. For example this query: Design Documents author:Dan Jump. This will succeed, but you won’t get the results you expect. It will search all documents that have Design AND Documents AND Jump anywhere in the properties or text and where Dan is in the author field. This query would be more explicit: Design Documents AND author:"Dan Jump"
- Type properties with values to match in property:value form. Values are not case-sensitive. When searching for properties, for example Author:Dan, the value for the property cannot have a space after the operator. If there is a space, your intended value will just be full text searched, for example Author: Dan would search for Dan as a keyword, rather than only items where the Author is Dan.
- Use quotation marks to find phases within a property or use wildcards to find partial matches that begin with the specified letters. If you look for filename:"Budget Q1" (with quotation marks), your search will return a file named “Budget Q1 Financials” A search for filename:budget (without quotation marks) will return the files “Budget Q1 Financials” and “Budget Q2 Financials”.
- When searching a property, use quotes if you have multiple words. For example filename:Budget Q1 will not return what you want, it will search for files with Budget in the name and do a full text search for Q1. You will get more results than you expect.
- There are several out of box properties that can be searched on (see below for more examples) and administrators can configure additional ones.
IMPORTANT NOTE: When you search on a property that is specific to Exchange or SharePoint, all results from the other product will be excluded. For example if you search BCC in the keywords field, there is no BCC in SharePoint so you will only get Exchange results. If you search with the Author field, this is SharePoint only and will exclude Exchange results. To get around this use the Specify Property option on the eDiscovery query page.
Here are some of the SharePoint search properties that are available that are useful for eDiscovery:
Property |
Type |
Example |
Description |
Author |
Person |
Author:"Garth Fort" OR Author:"garthf@contoso.com" |
The author field from Office documents. If users create a document and email it to someone else, then the 2nd person uploads it to SharePoint it will still have the original author. |
ContentType |
String |
ContentType:Document |
The content type of the item such as Item, Document, or Video. |
Created |
Date |
Created>=7/1/2013 |
Date the item was created. |
CreatedBy |
Person |
CreatedBy:"Garth Fort" |
The person that created or uploaded the item. |
DetectedLanguage |
String |
DetectedLanguage:English |
The language of the item. |
FileExtension |
String |
FileExtension:XLSX |
The extension of files. |
FileName |
String |
FileName:"Marketing Plan" |
Name of files. |
LastModifiedTime |
Date |
LastModifiedTime>=7/1/2013 |
The date the item was last modified. |
ModifiedBy |
Person |
ModifiedBy:"Garth Fort" |
The person to last change the item. |
Size |
Integer |
Size>=1 Size:1..50000 |
The size of the item in Bytes. |
Title |
String |
Title:"Marketing Plan" |
The title of the document. Title is metadata specified in Office files and is different from the file name. |
Here are eDiscovery properties for Exchange:
Property |
Type |
Example |
Description |
Attachment |
String |
Attachment:file.docx |
The file name of message attachments. |
BCC |
String |
BCC:"garthf@contoso.com" |
The BCC field. |
Body |
String |
Body:"Northwind Marketing" |
The body of the message. |
Category |
String |
category:"Red Category" |
Categories that can be defined by the user in OWA our Outlook. |
CC |
String |
CC:"garthf@contoso.com" |
The CC field. |
From |
String |
From:"garthf@contoso.com" From:contoso |
The sender of the message. |
Importance |
String |
Importance:Low Importance:Medium Importance:High |
Senders can set an importance value when sending a message. By default importance is set to medium. |
Kind |
String |
Kind:email Kind:email OR Kind:contacts OR Kind:meetings |
Values:
|
Participants |
String |
Participants:"garthf@contoso.com" Participants:"contoso" |
All sender and recipient fields: From, To, CC, and BCC. |
Received |
Date |
Received:7/15/2014 |
The date that a message is received. |
Recipients |
String |
Recipients:"garthf@contoso.com" Recipients:"contoso" |
Searches the recipient fields: To, CC, and BCC. |
Sent |
Date |
Sent:7/15/2014 |
The date that a message is sent. |
Size |
Integer |
Size>=1 Size:1..50000 |
The size of the item in Bytes. |
Subject |
Text |
Subject:"Northwind Marketing" |
The subject of the message. |
To |
String |
To:"garthf@contoso.com" |
The To field. |
Operators
- Queries can use prefix wildcard characters using an asterisk (*). A wildcard will search for 0 or more characters in keywords or property values. You can use wild cards to replace part of a word for example set* will return results with setting and setup. Wildcards can also replace an entire word for example " fair * " would return fair value.
- You can use wildcards to get variants of a property. For example FileExtension:XLS*will return all files with the extension XLS or XLSX.
- A space between two different properties is an AND. For example author:"Sara Davis" Title:"Marketing" will find documents where Sara Davis was the author and the title has the word Marketing.
- Search interprets the space between terms that use the same property as an "OR." For example, if the author property is available, and you look for author:"Sara Davis" author:"Garth Fort" , your search will return any items authored by Sara Davis OR Garth Fort.
- To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. For example -from:"Sara Davis” will exclude any messages sent by Sara Davis.
Operator |
Usage |
Description |
: |
Property:value |
Specify equality match on property values |
< |
Property <value |
Property is less than a value for dates and integers |
> |
Property >value |
Property is greater than a specific value |
<= |
Property <=value |
Property is less than or equal to a specific value. |
>= |
Property >=value |
Property is greater than or equal to a specific value. |
.. |
Property: value1..value2 |
Property is greater than or equal to value1 and less than or equal to value2 |
AND |
Keyword1 AND keyword2 |
Forced inclusion |
+ |
Keyword1 +keyword2 |
Forced inclusion |
OR |
Keyword1 OR keyword2 |
Logical or |
NOT |
Keyword1 NOT keyword2 |
logical not |
- |
Keyword1 -keyword2 |
Logical not |
"" |
"fair value" |
Exact Phrase match in keywords and property values. Can be used to include single quotes in search terms. |
* |
set* OR patent AND property:set* |
Wildcard match for 0 or more characters in keywords or property values |
( ) |
(fair OR free) AND (author:Dan) |
Group query terms and/or properties together |
Thanks for reading, may the search be with you.
Quentin Christensen, Program Manager