Using Search Properties and Operators with eDiscovery
I am back with some more information about eDiscovery search with Exchange, SharePoint and Lync. This time learn about search properties and operators. Before we start, here are some related useful resources.
Overview of Microsoft Office eDiscovery with Exchange, SharePoint, and Lync 2013
Searching and Using Keywords in eDiscovery
Keyword Query Language Syntax Reference
Overview of crawled and managed properties in SharePoint Server 2013
Message properties and search operators for In-Place eDiscovery
Using Keyword Search Syntax and eDiscovery – my previous blog post on this topic
IMPORTANT NOTE: When you search on a property that is specific to Exchange or SharePoint, all results from the other product will be excluded. For example if you search BCC in the keywords field, there is no BCC in SharePoint so you will only get Exchange results. If you search with the Author field, this is SharePoint only and will exclude Exchange results. To get around this use the Specify Property option on the eDiscovery query page.
Here are some of the SharePoint search properties that are available that are useful for eDiscovery:
Author:"Garth Fort" OR Author:"email@example.com"
The author field from Office documents. If users create a document and email it to someone else, then the 2nd person uploads it to SharePoint it will still have the original author.
The content type of the item such as Item, Document, or Video.
Date the item was created.
The person that created or uploaded the item.
The language of the item.
The extension of files.
Name of files.
The date the item was last modified.
The person to last change the item.
The size of the item in Bytes.
The title of the document. Title is metadata specified in Office files and is different from the file name.
Here are eDiscovery properties for Exchange:
The file name of message attachments.
The BCC field.
The body of the message.
Categories that can be defined by the user in OWA our Outlook.
The CC field.
The sender of the message.
Senders can set an importance value when sending a message. By default importance is set to medium.
Kind:email OR Kind:contacts OR Kind:meetings
All sender and recipient fields: From, To, CC, and BCC.
The date that a message is received.
Searches the recipient fields: To, CC, and BCC.
The date that a message is sent.
The size of the item in Bytes.
The subject of the message.
The To field.
Specify equality match on property values
Property is less than a value for dates and integers
Property is greater than a specific value
Property is less than or equal to a specific value.
Property is greater than or equal to a specific value.
Property is greater than or equal to value1 and less than or equal to value2
Keyword1 AND keyword2
Keyword1 OR keyword2
Keyword1 NOT keyword2
Exact Phrase match in keywords and property values. Can be used to include single quotes in search terms.
OR patent AND property:set*
Wildcard match for 0 or more characters in keywords or property values
(fair OR free) AND (author:Dan)
Group query terms and/or properties together
Thanks for reading, may the search be with you.
Quentin Christensen, Program Manager