Message properties and search operators for In-Place eDiscovery in Exchange Server
This topic describes the properties of Exchange email messages that you can search by using In-Place eDiscovery & Hold in Exchange Server 2016 or Exchange Server 2019. The topic also describes Boolean search operators and other search query techniques that you can use to refine eDiscovery search results.
In-Place eDiscovery uses Keyword Query Language (KQL). For more details, see Keyword Query Language syntax reference.
Searchable properties in Exchange
The following table lists email message properties that can be searched using an In-Place eDiscovery search or by using the New-MailboxSearch or the Set-MailboxSearch cmdlet. The table includes an example of the property:value syntax for each property and a description of the search results returned by the examples.
|Property||Property description||Examples||Search results returned by the examples|
||The names of files attached to an email message.
|Messages that have an attached file with a name matching annualreport.ppt, e.g. "annualreport.ppt" or "2017 annualreport.ppt".
In the second example, using the wildcard returns messages with the word "annual" in the file name of an attachment.
||The BCC field of an email message.1
|All examples return messages with Pilar Pinilla included in the Bcc field.
||The categories to search. Categories can be defined by users by using Outlook or Outlook on the web (formerly known as Outlook Web App). Valid values are:
||Messages that have been assigned the red category in the source mailboxes.
||The CC field of an email message.1
|In both examples, messages with Pilar Pinilla specified in the CC field.
||The sender of an email message.1
|Messages sent by the specified user or sent from a specified domain.
||The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low.
|Messages that are marked as high importance, medium importance, or low importance.
||The message type to search. Valid values are:
kind:email OR kind:im OR kind:voicemail
|Email messages that meet the search criteria. The second example returns email messages, instant messaging conversations, and voice messages that meet the search criteria.
||All the people fields in an email message; these fields are From, To, CC, and BCC.1
|Messages sent by or sent to email@example.com.
The second example returns all messages sent by or sent to a user in the contoso.com domain.
||The date that an email message was received by a recipient.
received>=01/01/2015 AND received<=03/31/2015
|Messages that were received on April 15, 2014. The second example returns all messages received between January 1, 2014 and March 31, 2014.
||All recipient fields in an email message; these fields are To, CC, and BCC.1
|Messages sent to firstname.lastname@example.org.
The second example returns messages sent to any recipient in the contoso.com domain.
||The date that an email message was sent by the sender.
sent>=06/01/2015 AND sent<=07/01/2015
|Messages that were sent on the specified date or sent within the specified date range.
||The size of an item, in bytes.
|Messages larger than 25 MB.
The second example returns messages from 1 through 1,048,576 bytes (1 MB) in size.
||The text in the subject line of an email message.
|Messages that contain the exact phrase "Quarterly Financials" anywhere in the text of the subject line.
The second example returns all messages that contain the word northwind in the subject line.
||The To field of an email message.1
|All examples return messages where Ann Beebe is specified in the To: line.
1: For the value of a recipient property, you can use the SMTP address, display name, or alias to specify a user. For example, you can use email@example.com, annb, or "Ann Beebe" to specify the user Ann Beebe.
Supported search operators
Boolean search operators, such as AND, OR, and NOT, help you define more-precise mailbox searches by including or excluding specific words in the search query. Other techniques, such as using property operators (such as >= or ..), quotation marks, parentheses, and wildcards, help you refine eDiscovery search queries. The following table lists the operators that you can use to narrow or broaden search results.
||keyword1 AND keyword2
||Returns messages that include all of the specified keywords or
||keyword1 +keyword2 +keyword3
||Returns items that contain either
Note that the query
||keyword1 OR keyword2
||Returns messages that include one or more of the specified keywords or
||keyword1 NOT keyword2
NOT from:"Ann Beebe"
|Excludes messages specified by a keyword or a
||The same as the NOT operator. This query returns items that contain
||keyword1 NEAR(n) keyword2
||Returns messages with words that are near each other, where n equals the number of words apart. For example,
||The colon (:) in the
||Denotes that the property being searched is less than the specified value. 1
||Denotes that the property being searched is greater than the specified value.1
||Denotes that the property being searched is less than or equal to a specific value.1
||Denotes that the property being searched is greater than or equal to a specific value.1
||Denotes that the property being searched is greater than or equal to value1 and less than or equal to value2.1
|Use double quotation marks (" ") to search for an exact phrase or term in keyword and
|Prefix wildcard searches (where the asterisk is placed at the end of a word) match for zero or more characters in keywords or
||(fair OR free) AND from:contoso.com
(IPO OR initial) AND (stock OR shares)
|Parentheses group together Boolean phrases,
1: Use this operator for properties that have date or numeric values.
2: Boolean search operators must be uppercase; for example, AND. Using lowercase operators in search queries will return an error.
Unsupported characters in search queries
Unsupported characters in a search query typically cause a search error or return unintended results. Unsupported characters are often hidden and they're typically added to a query when you copy the query or parts of the query from other applications (such as Microsoft Word or Microsoft Excel) and copy them to the keyword box on the query page of In-Place eDiscovery search.
Here's a list of the unsupported characters for an In-Place eDiscovery search query.
Smart quotation marks: Smart single and double quotation marks (also called curly quotes) aren't supported. Only straight quotation marks can be used in a search query.
Non-printable and control characters: Non-printable and control characters don't represent a written symbol, such as a alpha-numeric character. Examples of non-printable and control characters include characters that format text or separate lines of text.
Left-to-right and right-to-left marks: These are control characters used to indicate text direction for left-to-right languages (such as English and Spanish) and right-to-left languages (such as Arabic and Hebrew).
Lowercase Boolean operators: As previous explained, you have to use uppercase Boolean operators, such as AND and OR, in a search query. Note that the query syntax will often indicate that a Boolean operator is being used even though lowercase operators might be used; for example,
(WordA or WordB) and (WordC or WordD).
How to prevent unsupported characters in your search queries? The best way to prevent unsupported characters is to just type the query in the keyword box. Alternatively, you can copy a query from Word or Excel and then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select ANSI in the Encoding drop-down list. This will remove any formatting and unsupported characters. Then you can copy and paste the query from the text file to the keyword query box.
Search tips and tricks
Keyword searches are not case sensitive. For example, cat and CAT return the same results.
A space between two keywords or two
property:valueexpressions is the same as using AND. For example,
from:"Sara Davis" subject:reorganizationreturns all messages sent by Sara Davis that contain the word reorganization in the subject line.
Use syntax that matches the
property:valueformat. Values are not case-sensitive, and they can't have a space after the operator. If there is a space, your intended value will just be full-text searched. For example, to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.
When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use firstname.lastname@example.org, pilarp, or "Pilar Pinilla".
You can use only prefix wildcard searches (for example, cat* or set*). Suffix wildcard searches (*cat) or substring wildcard searches (*cat*) aren't supported.
When searching a property, use double quotation marks (" ") if the search value consists of multiple words. For example subject:budget Q1 returns messages that contain budget in the in the subject line and that contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1" returns all messages that contain budget Q1 anywhere in the subject line.
To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. For example, -from:"Sara Davis" will exclude any messages sent by Sara Davis.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.