Using Search Properties and Operators with eDiscovery

I am back with some more information about eDiscovery search with Exchange, SharePoint and Lync. This time learn about search properties and operators. Before we start, here are some related useful resources.

Overview of Microsoft Office eDiscovery with Exchange, SharePoint, and Lync 2013

Searching and Using Keywords in eDiscovery

Keyword Query Language Syntax Reference

Overview of crawled and managed properties in SharePoint Server 2013

Message properties and search operators for In-Place eDiscovery

Using Keyword Search Syntax and eDiscovery – my previous blog post on this topic

Properties

  • Properties and free text keywords cannot be combined into a single query unless you use quotes for the property value. For example this query: Design Documents author:Dan Jump. This will succeed, but you won’t get the results you expect. It will search all documents that have Design AND Documents AND Jump anywhere in the properties or text and where Dan is in the author field. This query would be more explicit: Design Documents AND author:"Dan Jump"
  • Type properties with values to match in property:value form. Values are not case-sensitive. When searching for properties, for example Author:Dan, the value for the property cannot have a space after the operator. If there is a space, your intended value will just be full text searched, for example Author: Dan would search for Dan as a keyword, rather than only items where the Author is Dan.
  • Use quotation marks to find phases within a property or use wildcards to find partial matches that begin with the specified letters. If you look for filename:"Budget Q1" (with quotation marks), your search will return a file named “Budget Q1 Financials” A search for filename:budget (without quotation marks) will return the files “Budget Q1 Financials” and “Budget Q2 Financials”.
  • When searching a property, use quotes if you have multiple words. For example filename:Budget Q1 will not return what you want, it will search for files with Budget in the name and do a full text search for Q1. You will get more results than you expect.
  • There are several out of box properties that can be searched on (see below for more examples) and administrators can configure additional ones.

IMPORTANT NOTE: When you search on a property that is specific to Exchange or SharePoint, all results from the other product will be excluded. For example if you search BCC in the keywords field, there is no BCC in SharePoint so you will only get Exchange results. If you search with the Author field, this is SharePoint only and will exclude Exchange results. To get around this use the Specify Property option on the eDiscovery query page.

 

Here are some of the SharePoint search properties that are available that are useful for eDiscovery:

Property

Type

Example

Description

Author

Person

Author:"Garth Fort" OR Author:"garthf@contoso.com"

The author field from Office documents. If users create a document and email it to someone else, then the 2nd person uploads it to SharePoint it will still have the original author.

ContentType

String

ContentType:Document

The content type of the item such as Item, Document, or Video.

Created

Date

Created>=7/1/2013

Date the item was created.

CreatedBy

Person

CreatedBy:"Garth Fort"

The person that created or uploaded the item.

DetectedLanguage

String

DetectedLanguage:English

The language of the item.

FileExtension

String

FileExtension:XLSX

The extension of files.

FileName

String

FileName:"Marketing Plan"

Name of files.

LastModifiedTime

Date

LastModifiedTime>=7/1/2013

The date the item was last modified.

ModifiedBy

Person

ModifiedBy:"Garth Fort"

The person to last change the item.

Size

Integer

Size>=1

Size:1..50000

The size of the item in Bytes.

Title

String

Title:"Marketing Plan"

The title of the document. Title is metadata specified in Office files and is different from the file name.

 

Here are eDiscovery properties for Exchange:

Property

Type

Example

Description

Attachment

String

Attachment:file.docx

The file name of message attachments.

BCC

String

BCC:"garthf@contoso.com"

The BCC field.

Body

String

Body:"Northwind Marketing"

The body of the message.

Category

String

category:"Red Category"

Categories that can be defined by the user in OWA our Outlook.

CC

String

CC:"garthf@contoso.com"

The CC field.

From

String

From:"garthf@contoso.com"

From:contoso

The sender of the message.

Importance

String

Importance:Low

Importance:Medium

Importance:High

Senders can set an importance value when sending a message. By default importance is set to medium. 

Kind

String

Kind:email

Kind:email OR Kind:contacts OR Kind:meetings

Values:

  • contacts
  • docs
  • email
  • faxes
  • im
  • journals
  • meetings
  • notes
  • posts
  • rssfeeds
  • tasks
  • voicemail

Participants

String

Participants:"garthf@contoso.com"

Participants:"contoso"

All sender and recipient fields: From, To, CC, and BCC.

Received

Date

Received:7/15/2014

The date that a message is received.

Recipients

String

Recipients:"garthf@contoso.com"

Recipients:"contoso"

Searches the recipient fields: To, CC, and BCC.

Sent

Date

Sent:7/15/2014

The date that a message is sent.

Size

Integer

Size>=1

Size:1..50000

The size of the item in Bytes.

Subject

Text

Subject:"Northwind Marketing"

The subject of the message.

To

String

To:"garthf@contoso.com"

The To field.

 

Operators 

  • Queries can use prefix wildcard characters using an asterisk (*). A wildcard will search for 0 or more characters in keywords or property values. You can use wild cards to replace part of a word for example set* will return results with setting and setup. Wildcards can also replace an entire word for example "fair *" would return fair value.
  • You can use wildcards to get variants of a property. For example FileExtension:XLS*will return all files with the extension XLS or XLSX.
  • A space between two different properties is an AND. For example author:"Sara Davis" Title:"Marketing" will find documents where Sara Davis was the author and the title has the word Marketing.
  • Search interprets the space between terms that use the same property as an "OR." For example, if the author property is available, and you look for author:"Sara Davis" author:"Garth Fort", your search will return any items authored by Sara Davis OR Garth Fort.  
  • To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. For example -from:"Sara Davis” will exclude any messages sent by Sara Davis.

Operator

Usage

Description

:

Property:value

Specify equality match on property values

Property <value

Property is less than a value for dates and integers

Property >value

Property is greater than a specific value

<=

Property <=value

Property is less than or equal to a specific value. 

>=

Property >=value

Property is greater than or equal to a specific value. 

..

Property: value1..value2

Property is greater than or equal to value1 and less than or equal to value2

AND

Keyword1 AND keyword2

Forced inclusion

+

Keyword1 +keyword2

Forced inclusion

OR

Keyword1 OR  keyword2

Logical or

NOT

Keyword1 NOT keyword2

logical not

-

Keyword1 -keyword2

Logical not

""

"fair value"

Exact Phrase match in keywords and property values. Can be used to include single quotes in search terms.

*

set*

OR patent AND property:set*

Wildcard match for 0 or more characters in keywords or property values

( )

(fair OR free) AND (author:Dan)   

Group query terms and/or properties together

  

Thanks for reading, may the search be with you.

Quentin Christensen, Program Manager