Custom Search

OVERVIEW

The custom search feature is intended to provide advanced users with the flexibility to create searches that are more complex than those that are available via the Simple, Advanced, or Wizard-based search features.  Examples of capabilities that are accessible via Custom Search include:

Advanced Boolean Queries - Combining Boolean logic (i.e. AND, OR, NOT) with grouping to locate messages or documents based on a combination of nested conditions.

Fuzzy Queries - Including common misspellings and alternate spellings of search terms in results.

Proximity Queries - Searching for terms that exist within a certain number of terms of one another in a document or attachment.

Advanced Date/Time Queries - Combining date/time ranges with Boolean logic and/or wildcard capabilities to search for messages based on a variety of time-related criteria.

NOTE: Custom search might yield different search results apposed to the other search types. When inputting items into a custom search query, our search mechanism will search on exactly what is inputted creating a more precision search. When using Simple, Advanced, or Wizard search our search mechanism will fit in other backed fields that may give your more items than a Custom search to help give you a wider range of data to review.


CREATING A CUSTOM SEARCH

The process of creating a custom search is as follows:

        1. Access the Custom Search feature:

                * Log in as a Search Administrator.

                * Click the “Start New Search” button from the Dashboard or Search tab. 

                * Once the “New Search” page loads, click the “Custom” tab.

        2. Enter a name for the new custom search. 

        3. Select E-mail, Lync IMs, or both for inclusion in the search (if Lync instant messages are enabled).

        4. Create a Custom Query.  For assistance creating a custom query, read below.

        5. (Optional) Select the start date for the search using the “Begins On” date picker.        

        6. (Optional) Enter the end date for the search using the “Ends On” date picker. If you leave the "Ends on" field blank, the results will start from the date chosen in the "Begins on" field and go to the most recent collected messages (most of the time, today's date). 

        7. (Optional) Enter Tags and/or Notes for the Search.

        8. (Optional) Select whether you want to display 1) All results 2) only results on legal hold 3) exclude results on legal hold. Note that this optional field can be used as the sole search criteria/condition.

        9. (Optional) Select Permissions to display the drop-down menu allowing to give search user access to this specific search. This option allows you to allow an archive user to either 1) access this search 2) edit this search 3) export this search or any combination thereof.

        10. Click “Save and Display Results” to save the search and go directly to the search results or "Save and return to list" to save the search and go back to the SAVED SEARCHES pages displaying all the previously created searches.

*Note that constructing Custom Queries is typically an iterative process--particularly against large data sets.  After reviewing the results of the initial query, users can refine the search by clicking “Edit Search to Generate New Results”.

Screenshot - Custom search



CUSTOM QUERY SYNTAX

Custom query terms are the “what and where” components of the search--they enable you to specify what information to search for, and in which index fields to look for that information.

NOTE: If the terms or phrase you are searching for contains a ":" you need to include the search terms or phrase between quotation marks ("..."). For instance, if you are looking for the terms/phrase the broker did the following: then, you would have to write in the search terms field: "the broker did the following:"


Custom Query Fields

To specify a field to query, you would type the name of the field, followed by a colon (with no space in between).  The available fields are as follows:

            subject: - Refers to the contents of the “Subject” field within the headers of messages.

            body: - Refers to the contents of the “Body” field in the headers of messages.  ***Note that the body field is also the default field, specifying the “body:” field for a term is optional.

            date: - Refers to information in the “Date” field in the headers of messages.

            from: - Refers to addresses that are contained in the from: field in the headers of messages.

            recipients: - Refers to addresses that are in the To:, Cc:, or Bcc: fields in the headers of messages.

            bcc: - Refers to addresses that are specifically in the Bcc: field within headers of messages.

            attachments.content:- Refers to the contents/body of files that are attached to messages.

            attachments.filename:- Refers to the names of files that are attached to messages.
   
            size:- Refers to the total size of messages (including attachments).  Note that the size field is calculated in bytes.

To search for information within a given field, you would include that information directly after the name of the field (with no space in between).  For example:

            subject:Earnings - Queries the Subject field to locate all messages with the word “Earnings” in the Subject.

            date:[2011-01-01T00:00:00Z TO 2011-12-31T00:00:00Z] (time is GMT format)- Queries the Date field to locate messages that were sent between January 1st and December 31st, 2011.
 
You can also search for phrases within a particular field.  For example:

            subject:”Earnings Results” - Queries the Subject field to locate messages with the phrase “Earnings Results” in the subject.
   
            body:”Please do not share” - Queries the Body field to locate messages with the phrase “Please do not share” in the body.

   
     Wildcard Query Operators

You can use wildcard operators to locate messages and/or documents based on partial terms.  You can use the asterisk ( * ) operator to locate messages and/or documents that contain specified partial terms.  For example:
   
             contract* - Denotes any term that begins with “contract” (such as “contract”, “contracts”, or “contracted”).
   
            acme.* - Denotes any term that starts with “acme.com” (such as “acme.com or acme.co.uk).
   
            43931* - Denotes any term that starts with the sequence “43931” (such as “43931.00” or 43931226).
   
You can use the question mark (?) operator to locate messages that contain a specified term, with a given character replaced.  For example:
   
            “???? ???? ???? ????”- Denotes any term that contains four sets consisting of four characters each with a single space between sets (4417 1234 5678 9012, a common format for credit/debit card numbers”).

            “???\-??\-????” - Denotes any term that contains a set of three characters, followed by a dash, followed by two characters, followed by a dash, followed by three characters (i.e. 123-45-6789, a common format for U.S. social security numbers). See the section below, “Searching for Terms that Contain Reserved Characters”, for the explanation of “\” use.

            ?inks - Denotes any term that contains any character proceeded by the string “inks” (such as “links” and “rinks”).
   
            “well gra?e?” - Denotes any phrase beginning with the term “well” followed by a space and then a term that contains the string “gra”, followed by any character, followed by the letter ‘e’, followed by any character (such as “well graded” and “well grates”).


NOTE ON WILDCARDS (*): Wildcards can be used with any kind of words or number as long as they contain at least 5 characters or numbers. Using wildcards on words with less than 5 characters or strings with less than 5 numbers won't be effective.

NOTE ON LEADING WILDCARDS (*): Please be advised that you can only use leading wildcard query operators when using the following fields: from, recipients, subject, attachment.filename, bcc. Leading wildcards cannot be used when using the body and attachment.content fields.


Searching for Terms that Contain Reserved Characters

The following fields are reserved for use in the syntax of queries and, as such, require special handling when they are contained within query terms:

            + - & | ! ( ) { } [ ] ^ " ~ * ? : \

In order to search for terms that contain any of these characters, you are required to “escape” each reserved character by inserting a backslash (\) before it.  For example:
   
            body:”1\(555\) 555\-1212” - Queries for any messages with a body that contains the phrase “1 (555) 555-1212”.
   
            subject:promotion\? Queries for any messages with a subject that contains the term “promotion?”.


Boolean Query Operators

You can use Boolean operators such as AND, OR, NOT, +, and - to search for messages or documents based on multiple terms. 

Use the AND operator to locate messages or documents that satisfy two or more criteria.  For example:
   
            body:demotion AND from:acme.co* - Queries for any messages with a body that contains the term “demotion” and a sender that contains a term that starts with “acme.co”.
   
            from:*@betacorp* AND recipients:*jdoe@acmecorp* AND date:[2011-01-01T00:00:00ZTO2011-12-31T00:00: 00Z] - Queries for any messages with a sender address that includes the string “@betacorp” where jdoe@acmecorp is a recipient (To:, cc:, bcc:) that was sent between January 1st and December 31st, 2011.

To locate messages where specific fields satisfy two or more criteria, you use the ‘+’ operator rather than using a more elaborate ‘AND’ query.  For example:
   
            body:(+confidential +IPO +bank) - Queries for any message that contains the terms “confidential”, “IPO”, and “bank” in the body. Parentheses are always needed when using this format with “+” signs; they indicate that the terms are grouped together. An alternative approach would be to write the query body:confidential AND body:IPO AND body:bank.
   
            attachments.content:(+agreement +CEO) AND attachments.filename:*doc* - Queries for any message that includes an attachment with the terms “agreement” and “CEO” in the contents and “doc” in the file name.

Use the OR operator to locate messages or documents that satisfy any of two or more criteria.  For example:
   
            attachments.content:contract* OR attachments.filename:*contract* - Queries for any message that includes an attachment with the terms starting with “contract” in the contents or an attachment with a file name that contains the string “contract”.   

            guarantee* OR subject:guarantee* - Queries for messages that contain a term that begins with “guarantee” in the message body (default field) or subject.


Fuzzy Logic Operators

You can use fuzzy logic operators to query for terms that are close to, but not precisely the same as, a particular term by inserting a tilde (~) after the term.  Fuzzy logic often comes in handy when you want to include misspellings of key terms in the search results.  For example:
   
            body:lawyer~ - Queries for messages that contain terms that are close to the term “lawyer”, such as “laywer” and “lawyers”.

            subject:VIN4422331~ - Queries for messages that contain terms that are close to the term “VIN4422331”, such as “BIN4422331” and “VIN2222331”.

You are also able to adjust the tolerance of the fuzzy logic (e.g. specify how “close to” the search term message terms should be in order to be included in search results.  The tolerance is measured on a 0 to 1 scale, with 1 indicating an exact match to the search term.  The default tolerance is 0.5.  You can adjust the tolerance by inserting the tolerance indicator after the tilde.  For example:

            body:lawyer~0.9 - Queries for messages that contain terms that are very close to the term “lawyer”, such as “lawyers”, but not “player”. 

            lawyer~0.2 - Queries for messages with a body that contains terms that are even remotely similar to the term “lawyer”, including "lawyers”, “player”, “players”, “lawed”.

Note that most customers will need to try a few different tolerance levels before locating the level that works best for a given search.


Proximity Logic Operators

You can use proximity logic operators to query for two terms that occur within a specified number of words of one another within a field.  In order to query using proximity logic, surround the search terms in quotations, separated by a space, followed by a tilde (~) and one or more digits to indicate the number of words.  For example:

            ”manager HR”~10 - Queries for messages with a body that contains the term “manager” followed by the term “HR” separated by up to 10 additional terms.

Note: Wildcards and proximity search terms cannot be used in the same query term. For example, the query body: "gover* restore"~10 is not valid, and no results would appear.


CUSTOM QUERY EXAMPLES

The following table is intended to illustrate how the custom query functionality can be used to locate information in the archive.

Example Description
Simple Operator Examples

theft AND illegal AND CHEAT
Would query for all messages where the body contains the terms “theft” AND “illegal” AND “cheat” ***Remember that not specifying a field is equivalent to specifying the “body” field.
subject:contract*
Would query for all messages where the subject field contains a term that begins with “contract”.
body:???\-??\-???? OR body:SSN OR body:”social security”
Would query for all messages where the body contains a string that follows the format “XXX-XX-XXXX” (where the ‘X’s correspond to any character) or a body that contains the term “SSN” or the phrase “social security”.  This could be used to locate messages that may contain U.S. social security numbers.
(“???? ???? ???? ????” AND ??/??) OR “credit card” OR visa OR “master card” OR “Amex” OR “American Express”
Would query for all messages that meet either of the following conditions:
     * the body contains a string of four terms with four characters each (separated by single spaces) that also include a term with four characters divided by a forward slash. 
     * the body contains the term “credit card”, “visa”, “master card”, “Amex” or “American Express”.

This could be used to locate messages that may contain credit card numbers.
(recipients:*jdoe@acme* AND from:*lsmith@beta*) OR (recipients:*lsmith@beta* AND from:*jdoe@acme*)
Would query for all messages that meet either of the following conditions:
     * the sender field contains the string “lsmith@beta” and the recipient field contains “jdoe@acme”.
     * the sender field contains the string “jdoe@acme” and the recipient field contains “lsmith@beta”.

This could be used to locate messages between two individuals.
(body:theft AND body:illegal AND body:cheat)
Would query for all messages where the body contains the terms “theft” AND “illegal” AND “cheat”.
body:(+theft +illegal +cheat)
Would query for all messages where the body contains the terms “theft” AND “illegal” AND “cheat”.
body:(+compliance -training -"human resources" -employees)
Would query for all messages where the body contains the term “compliance” but not the terms “training” or “human resources” or “employees”.
(earnings OR revenue OR profit OR margin OR forecast OR loss OR cash) AND from:(-jsmith* -jdoe* -greddy* -nball* -ahouston* -adepnet* -jplick* -jsontray*) Would query for messages where the body contains the term “earnings”, “revenue”, “profit”, “margin”, “forecast”, “loss”, or “cash” where the sender field does not include a term (address) beginning with “jsmith”, “jdoe”, “greddy”, “nball”, “ahouston”, “adepnet”, “jplick”, or“jsontray”.

This could be used to locate messages containing key terms that were sent from anyone other than a selected group of individuals (such as members of a particular department).
body:(+FRCP +SOX -GLBA -HIPAA) OR subject:"email archiving regulations"
Would query for all messages that meet either of the following conditions:
     * the message body contains the terms “FRCP” AND “SOX” but not “GLBA” or “HIPAA”.
     * the subject contains the phrase “email archiving regulations”.
”This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient named in the original email to which this message was addressed. Any review, copying, or distribution of this email \(or any attachments thereto\) by others is strictly prohibited.”
Would query for all messages with a body that contains the phrase ”This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient named in the original email to which this message was addressed. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.”
Date:[2010-01-01T00:00:00Z TO 2010-06-30T23:59:59Z] NOT body:”This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient named in the original email to which this message was addressed. Any review, copying, or distribution of this email \(or any attachments thereto\) by others is strictly prohibited.”
Would query for all messages dated between January 1st 2010 00:00:00 and June 30th 2010 23:59:59 that do not contain the following phrase in the body:  ”This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient named in the original email to which this message was addressed. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.”
(from:jeff.m* OR from:mike.b* OR from:george.a* OR from:jim.c*) AND body:”This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient named in the original email to which this message was addressed. Any review, copying, or distribution of this email \(or any attachments thereto\) by others is strictly prohibited.”
Would query for all the messages with the partial terms “jeff.m” or “mike.b” or “george.a” or “jim.c” in the sender field that also contain the following phrase in the message body: ”This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient named in the original email to which this message was addressed. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.”
Advanced Operator Examples

subject:where~
Would query for all messages with a subject field that contains a term that is similar to the term “where” (such as “were”, “here”, “there”, etc).
(body:440~ AND body:jon~) NOT body:dollar~
Would query for all messages containing strings that are similar to the string “440” (such as 540, 441, 420, etc.) and terms that are similar to the term “jon”  (such as “jon, john, jons, etc”) in the message body--excluding messages containing terms that are similar to the term “dollar” (“dollars, dolar, dollarrs", etc) in the message body.
subject:accommodate~0.8 Would query for all messages containing terms that are very similar to the term “accommodate” (such as “accomodate, acomodate, accomodates, etc”) in the subject field.
subject:accommodate~0.2
Would query for all messages containing terms even remotely similar to the term “accommodate” (such as “unaccommodating, unacomodated, inaccommodating, etc) in the subject field.
body:”\”Richard G. Harper”\” Would query for messages containing the phrase “Richard G. Harper” in the message body.
subject:"would anybody volunteer to do night duty tonight\?"
Would query for all messages containing the phrase “would anybody volunteer to do night duty tonight?” in the subject field.
body:\(1\+456\)\*5
Would query for all messages containing the string “(1+456)*5” in the message body.
(body:attachment~0.4 AND body:handkerchief~0.2) OR subject:rhythm~ Would query for all messages containing a term that is similar to the term “attachment” (such as attachment, atachment, attchement, atachements, etc) and a term that is even remotely similar to the term “handkerchief” (such as handkerchief, andkerchief, andkerchef, handcherchief, etc) in the message body.  Alternatively, would locate any messages with a term that is similar to the term “rhythm” in the subject field.
subject:”transfer account”~5
Would query for all messages that contain the terms “transfer” followed by the term “account” separated by 5 or fewer terms in the subject field.
subject:”dividends fails”~4 AND (body:”hide board”~7 AND body:”successfully Wilkenssen”~100)

Would query for all messages that contain the terms “dividends” and “fails” separated by 4 or fewer terms in the subject field that also contain the terms “hide” and “board” separated by 7 or fewer terms and the terms“successfully” and “Wilkenssen” separated by 100 or less words in the message body.
Advanced Boolean Examples

(attachments.content:failure OR attachments.filename:amazon) AND (body:"be careful" AND body:(-John -Joe)) AND (date:[2008-01-01T00:00:00Z TO *] AND from:*@acme.com)
Would query for all messages that meet all of the following criteria:
     * contain the terms “failure” in the contents of attachment(s) or the terms “amazon” in the file name(s) of attachment(s).
     * the message body contains the phrase “be careful”.
     * the message body does not contain the terms “John” or “Joe”.
     * that are dated after January 1st 2008 00:00:00.
     * with a sender address that contains the partial term @acme.com.
(body:(+frustrating +purchase* +error) NOT body:parrot) OR subject:unfaithful Would query for all messages that meet either of the following criteria:
      * the message body contains the term “frustrating” and a term beginning with the string “purchase” and the term “error” but not the term “parrot”.
      * the subject field contains the term “unfaithful”.
(subject:"night duty" OR body:night* AND attachments.content:028*) NOT from:*@gmail* NOT date:[1999-10-22T00:00:00Z TO 2000-01-10T00:00:00Z]
Would query for all the messages that meet all of the following criteria:
      * the subject field contains the term “night duty” or the body contains a term that starts with the string “night” and the attachment's body contains a number starting with "028"
      * the sender field does not contain the string “@gmail”.
      * the date field value is not between October 22nd 1999 00:00:00 and January 10th 2000 00:00:00.
(body:crash* AND attachments.filename:*amazon*) AND from:greddy@acme* AND date:[2011-01-01T00:00:00Z TO 2011-12-31T00:00:00Z]
Would query for all the messages that meet all of the following criteria:
      * the message body contains a term that begins with “crash” and an attachment file name contains the string “amazon”.
      * the sender field contains the string “greddy@acme”.
      * the date field value is between January 1st 00:00:00 and December 31st 00:00:00.
(body:search AND subject:"oh my" OR body:$18*) NOT (from:*@betacorp* AND recipients: jdoe@acmecorp*) Would query for all messages that contain the following criteria:
      * the message body contains the term “search” or a string that begins with “$18” (such as $18, $180 $18.02 $18900, etc) and the subject field contains the phrase “oh my”.
      * the sender field does not contain the string “@betacorp” and a recipient field (To: Cc: Bcc:) contains a term beginning with “jdoe@acmecorp”.
(from:greddy@acme* AND body:crash?uard) AND body:(+200* +"set it up" +trouble +cheap -expensive) NOT (subject:birthday OR body:party OR body:surprise\!) Would query for all the messages that meet all of the following criteria:
      * the message body contains a term beginning with “greddy@acme” in the sender field and a term that begins with the string “crash” and ends with the string “uard” separated by any character (“crashguard, crashluard, crashcuard, etc).
      * the message body contains the string “200”, the phrase “set it up”, the term “trouble”, and the term “cheap” but not the term “expensive”.
      * the subject does not contain the term “birthday” and the message body does not contain the term “party” or the term “surprise!”.
(from:*@acme.com NOT from:*@acme.net) AND ((body:(+fine +delay +problem) OR subject:”merr?ll l?nch funds”) NOT date:[* TO 2009-12-31T00:00:00Z])
Would query for all the messages that meet all of the following criteria:
      * the sender field includes a term that ends with the string “@acme.com” but not a term that ends in “@acme.net”.
      * the message body contains the terms “fine”,“delay”, and “problem” or the subject field contains a phrase that begins with the string “merr”, followed by any character, followed by the string “ll”, followed by a space, followed by the letter ‘l’, followed by the string “nch funds” (such as “merrill lynch funds”).
      * and the date field value is not prior to December 31st 2009 00:00:00.
(subject:(+lugano +accounts -review -rfp) AND (search* OR quer*)) OR (from:*reddy@acme.* NOT date:[2009-01-01T00:00:00Z TO 2009-12-31T23:59:59Z])
Would query for all the messages that meet either of the following criteria:
      * the subject field contains the terms “lugano” and “accounts” but not “review” or “rfp” and the body contains a term that begins with the string “search” or “quer”.
      * the sender field contains a term that includes the string “reddy@acme.” and the date field value is not between January 1st 2009 00:00:00 and December 31st 2009 23:59:59
(attachments.filename:*powerpoint* AND attachments.content:(+microphone +transmitter +injury +complicat*)) AND ((subject:”cayman trade*” OR body:(+”severe stress” -illegal) NOT from:*@betacorp*)) Would query for all the messages that meet both of the following criteria: 
      * attachment(s) file names containing the string “powerpoint” and the attachment contents that include the terms “microphone”, “transmitter”, “injury”, and a term that begins with “complicat”.
      * the subject includes a phrase that begins with “cayman trade” or the body contains  the term “severe stress” but not “illegal” and the sender field value does not contain the string “@betacorp”.