电子数据展示的关键字查询和搜索条件Keyword queries and search conditions for eDiscovery

本主题介绍电子邮件和文档属性,您可以使用 Microsoft 365 合规中心中的电子数据展示搜索工具在 Exchange Online 中的电子邮件项目和 Microsoft Teams 聊天对话中搜索,以及存储在 SharePoint 和 OneDrive for Business 网站上的文档。This topic describes the email and document properties that you can search for in email items and Microsoft Teams chat conversations in Exchange Online, and documents stored on SharePoint and OneDrive for Business sites using the eDiscovery search tools in the Microsoft 365 compliance center. 这包括内容搜索、核心电子数据展示和高级电子数据展示 (高级电子数据展示搜索称为) 。 This includes Content search, Core eDiscovery, and Advanced eDiscovery (eDiscovery searches in Advanced eDiscovery are called collections). 您还可以使用安全与合规中心 PowerShell 中的 * -ComplianceSearch cmdlet &搜索这些属性。You can also use the *-ComplianceSearch cmdlets in Security & Compliance Center PowerShell to search for these properties. 本主题还介绍了:The topic also describes:

  • 使用布尔搜索运算符、搜索条件和其他搜索查询技术优化搜索结果。Using Boolean search operators, search conditions, and other search query techniques to refine your search results.

  • 在 SharePoint 和 OneDrive for Business 中搜索敏感数据类型和自定义敏感数据类型。Searching for sensitive data types and custom sensitive data types in SharePoint and OneDrive for Business.

  • 搜索与组织外部的用户共享的网站内容Searching for site content that's shared with users outside of your organization

有关如何创建不同电子数据展示搜索的分步说明,请参阅:For step-by-step instructions on how to create different eDiscovery searches, see:

备注

电子数据展示在 Microsoft 365 合规中心进行搜索,安全与合规中心 PowerShell 中的相应 * -ComplianceSearch cmd & let 使用关键字查询语言 (KQL) 。eDiscovery searches in the Microsoft 365 compliance center and the corresponding *-ComplianceSearch cmdlets in Security & Compliance Center PowerShell use the Keyword Query Language (KQL). 有关更多详细信息,请参阅关键字 查询语言语法参考For more detailed information, see Keyword Query Language syntax reference.

可搜索的电子邮件属性Searchable email properties

下表列出了可以使用 Microsoft 365 合规中心中的电子数据展示搜索工具或 New-ComplianceSearchSet-ComplianceSearch cmdlet 搜索的电子邮件属性。The following table lists email message properties that can be searched by using the eDiscovery search tools in the Microsoft 365 compliance center or by using the New-ComplianceSearch or the Set-ComplianceSearch cmdlet. 该表包含每个属性的 property:value 语法示例,以及示例返回的搜索结果的说明。The table includes an example of the property:value syntax for each property and a description of the search results returned by the examples. 可以在电子 property:value 数据展示搜索的关键字框中键入这些对。You can type these property:value pairs in the keywords box for an eDiscovery search.

备注

在搜索电子邮件属性时,无法搜索指定属性为空或为空的项目。When searching email properties, it's not possible to search for items in which the specified property is empty or blank. 例如,使用 subject:""property:value 对搜索主题行为空的电子邮件将返回零结果。For example, using the property:value pair of subject:"" to search for email messages with an empty subject line will return zero results. 这同样适用于搜索网站和联系人属性的情况。This also applies when searching site and contact properties.

属性Property 属性描述Property description 示例Examples 示例返回的搜索结果Search results returned by the examples
AttachmentNamesAttachmentNames 电子邮件附件的文件名。The names of files attached to an email message. attachmentnames:annualreport.ppt
attachmentnames:annual*
attachmentnames:.pptx
含有名称为 annualreport.ppt 的附件的邮件。Messages that have an attached file named annualreport.ppt. 在第二个示例中,使用通配符返回附件名中带有单词"annual"的邮件。In the second example, using the wildcard returns messages with the word "annual" in the file name of an attachment. 第三个示例返回文件扩展名为 pptx 的所有附件。The third example returns all attachments with the pptx file extension.
BccBcc 电子邮件的"Bcc"字段。1The Bcc field of an email message.1 bcc:pilarp@contoso.com
bcc:pilarp
bcc:"Pilar Pinilla"
所有示例都返回"密件抄送"字段中包含"Pilar Pinilla"的邮件。All examples return messages with Pilar Pinilla included in the Bcc field.
CategoryCategory 搜索类别。The categories to search. 用户可以通过使用 Outlook 或 Web 上的 Outlook 定义类别 (以前称为Outlook Web App) 。Categories can be defined by users by using Outlook or Outlook on the web (formerly known as Outlook Web App). 可能的值是:The possible values are:

蓝色blue
绿色green
橙色orange
紫色purple
红色red
黄色yellow
category:"Red Category" 在源邮箱中已指定红色类别的邮件。Messages that have been assigned the red category in the source mailboxes.
抄送Cc 电子邮件的"抄送"字段。1The Cc field of an email message.1 cc:pilarp@contoso.com
cc:"Pilar Pinilla"
在这两个示例中,在"抄送"字段中指定了 Pilar Pinilla 的邮件。In both examples, messages with Pilar Pinilla specified in the Cc field.
FolderidFolderid 文件夹 ID (特定) 文件夹的 GUID。The folder ID (GUID) of a specific mailbox folder. 如果使用此属性,请确保搜索指定文件夹所在的邮箱。If you use this property, be sure to search the mailbox that the specified folder is located in. 将仅搜索指定的文件夹。Only the specified folder will be searched. 不会搜索文件夹中的任何子文件夹。Any subfolders in the folder won't be searched. 若要搜索子文件夹,您需要对要搜索的子文件夹使用 Folderid 属性。To search subfolders, you need to use the Folderid property for the subfolder you want to search.
有关搜索 Folderid 属性和使用脚本获取特定邮箱的文件夹 ID 的信息,请参阅对目标集合使用内容 搜索For more information about searching for the Folderid property and using a script to obtain the folder IDs for a specific mailbox, see Use Content search for targeted collections.
folderid:4D6DD7F943C29041A65787E30F02AD1F00000000013A0000
folderid:2370FB455F82FC44BE31397F47B632A70000000001160000 AND participants:garthf@contoso.com
第一个示例返回指定邮箱文件夹中的所有项目。The first example returns all items in the specified mailbox folder. 第二个示例返回指定邮箱文件夹中由用户发送或接收的所有 garthf@contoso.com。The second example returns all items in the specified mailbox folder that were sent or received by garthf@contoso.com.
发件人From 电子邮件的发件人。1The sender of an email message.1 from:pilarp@contoso.com
from:contoso.com
由指定用户或指定域发送的邮件。Messages sent by the specified user or sent from a specified domain.
HasAttachmentHasAttachment 指示邮件是否有附件。Indicates whether a message has an attachment. 使用值 true 或 falseUse the values true or false. from:pilar@contoso.com AND hasattachment:true 由具有附件的指定用户发送的邮件。Messages sent by the specified user that have attachments.
ImportanceImportance The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low. The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low. importance:high
importance:medium
importance:low
将重要性标记为高、中等或低的邮件。Messages that are marked as high importance, medium importance, or low importance.
IsReadIsRead 指示是否已阅读邮件。Indicates whether messages have been read. 使用值 true 或 falseUse the values true or false. isread:true
isread:false
第一个示例返回 IsRead 属性设置为 True 的邮件The first example returns messages with the IsRead property set to True. 第二个示例返回 IsRead 属性设置为 False 的邮件The second example returns messages with the IsRead property set to False.
ItemClassItemClass 使用此属性可搜索组织导入到 Office 365 的特定第三方数据类型。Use this property to search specific third-party data types that your organization imported to Office 365. 对此属性使用以下语法: itemclass:ipm.externaldata.<third-party data type>*Use the following syntax for this property: itemclass:ipm.externaldata.<third-party data type>* itemclass:ipm.externaldata.Facebook* AND subject:contoso
itemclass:ipm.externaldata.Twitter* AND from:"Ann Beebe" AND "Northwind Traders"
第一个示例返回 Subject 属性中包含单词"contoso"的 Facebook 项目。The first example returns Facebook items that contain the word "contoso" in the Subject property. 第二个示例返回 Ann Beebe 发布且包含关键字短语"Northwind Traders"的 Twitter 项目。The second example returns Twitter items that were posted by Ann Beebe and that contain the keyword phrase "Northwind Traders".
有关用于 ItemClass 属性的第三方数据类型的值的完整列表,请参阅使用内容搜索搜索已导入 到 Office 365 的第三方数据For a complete list of values to use for third-party data types for the ItemClass property, see Use Content search to search third-party data that was imported to Office 365.
KindKind 要搜索的电子邮件的类型。The type of email message to search for. 可能的值:Possible values:
联系人contacts
文档docs
电子邮件email
externaldataexternaldata
传真faxes
即时消息im
日志journals
会议meetings
microsoftteams (Microsoft Teams) 中的聊天、会议和通话中返回项目microsoftteams (returns items from chats, meetings, and calls in Microsoft Teams)
注释notes
公告posts
RSS 源rssfeeds
任务tasks
语音邮件voicemail
kind:email
kind:email OR kind:im OR kind:voicemail
kind:externaldata
第一个示例返回符合搜索条件的电子邮件。The first example returns email messages that meet the search criteria. 第二个示例返回电子邮件、即时消息 (包括 Microsoft Teams) 中的 Skype for Business 对话和聊天以及符合搜索条件的语音邮件。The second example returns email messages, instant messaging conversations (including Skype for Business conversations and chats in Microsoft Teams), and voice messages that meet the search criteria. 第三个示例返回从第三方数据源(如 Twitter、Facebook 和 Cisco Jabber)导入到 Microsoft 365 中的邮箱的项目,这些项目符合搜索条件。The third example returns items that were imported to mailboxes in Microsoft 365 from third-party data sources, such as Twitter, Facebook, and Cisco Jabber, that meet the search criteria. 有关详细信息,请参阅存档 Office 365 中的第三方数据For more information, see Archiving third-party data in Office 365.
参与者Participants 电子邮件中的"所有人员"字段。All the people fields in an email message. 这些字段为 From、To、Cc 和Bcc。1These fields are From, To, Cc, and Bcc.1 participants:garthf@contoso.com
participants:contoso.com
发送自/到 garthf@contoso.com 的邮件。第二个示例返回 contoso.com 域中的用户发送的所有邮件或发送至 contoso.com 域中的用户的所有邮件。Messages sent by or sent to garthf@contoso.com. The second example returns all messages sent by or sent to a user in the contoso.com domain.
ReceivedReceived 收件人接收电子邮件的日期。The date that an email message was received by a recipient. received:04/15/2016
received>=01/01/2016 AND received<=03/31/2016
2016 年 4 月 15 日收到的邮件。Messages that were received on April 15, 2016. 第二个示例返回 2016 年 1 月 1 日到 2016 年 3 月 31 日之间收到的所有邮件。The second example returns all messages received between January 1, 2016 and March 31, 2016.
收件人Recipients 电子邮件中所有收件人字段。All recipient fields in an email message. 这些字段为"To"、Cc 和Bcc。1These fields are To, Cc, and Bcc.1 recipients:garthf@contoso.com
recipients:contoso.com
发送到 garthf@contoso.com 的邮件。第二个示例返回发送至 contoso.com 域中任何收件人的邮件。Messages sent to garthf@contoso.com. The second example returns messages sent to any recipient in the contoso.com domain.
SentSent 发件人发送电子邮件的日期。The date that an email message was sent by the sender. sent:07/01/2016
sent>=06/01/2016 AND sent<=07/01/2016
在指定日期或指定日期范围内发送的邮件。Messages that were sent on the specified date or sent within the specified date range.
SizeSize 邮件的大小(以字节为单位)。The size of an item, in bytes. size>26214400
size:1..1048567
大于 25 MB 的邮件。第二个示例返回大小介于 1 到 1,048,567 (1 MB) 字节之间的邮件。Messages larger than 25 MB. The second example returns messages from 1 through 1,048,567 bytes (1 MB) in size.
SubjectSubject 电子邮件主题行中的文本。The text in the subject line of an email message.
注意: 在查询中使用 Subject 属性时,搜索将返回主题行包含要搜索的文本的所有邮件。Note: When you use the Subject property in a query, the search returns all messages in which the subject line contains the text you're searching for. 换句话说,查询不会仅返回那些完全匹配的邮件。In other words, the query doesn't return only those messages that have an exact match. 例如,如果搜索 ,结果将包括主题为 subject:"Quarterly Financials" "Quarterly Financials 2018"的邮件。For example, if you search for subject:"Quarterly Financials", your results will include messages with the subject "Quarterly Financials 2018".
subject:"Quarterly Financials"
subject:northwind
主题行文本中任意位置包含短语"Quarterly Financials"的邮件。Messages that contain the phrase "Quarterly Financials" anywhere in the text of the subject line. 第二个示例返回主题行中包含单词"northwind"的所有邮件。The second example returns all messages that contain the word northwind in the subject line.
收件人To 电子邮件的"收件人"字段。1The To field of an email message.1 to:annb@contoso.com
to:annb
to:"Ann Beebe"
所有示例返回在"收件人:"行中指定为 Ann Beebe 的邮件。All examples return messages where Ann Beebe is specified in the To: line.

备注

1对于收件人属性的值,您可以使用电子邮件地址 (也称为用户主体名称或 UPN ) 、显示名称 或别名来指定用户。1 For the value of a recipient property, you can use email address (also called user principal name or UPN), display name, or alias to specify a user. 例如,你可以使用 annb@contoso.com、annb 或"Ann Beebe"指定用户 Ann Beebe。For example, you can use annb@contoso.com, annb, or "Ann Beebe" to specify the user Ann Beebe.

收件人展开Recipient expansion

在搜索任何收件人属性 (From、To、Cc、Bcc、Participants 和 Recipients) 时,Microsoft 365 会尝试通过查找 Azure Active Directory (Azure AD) 来扩展每个用户的身份。When searching any of the recipient properties (From, To, Cc, Bcc, Participants, and Recipients), Microsoft 365 attempts to expand the identity of each user by looking them up in Azure Active Directory (Azure AD). 如果在 Azure AD 中找到了该用户,则查询将扩展为包括用户的电子邮件地址 (或 UPN) 、别名、显示名称 和 LegacyExchangeDN。If the user is found in Azure AD, the query is expanded to include the user's email address (or UPN), alias, display name, and LegacyExchangeDN. 例如,查询(如 ) participants:ronnie@contoso.com 将展开到 participants:ronnie@contoso.com OR participants:ronnie OR participants:"Ronald Nelson" OR participants:"<LegacyExchangeDN>"For example, a query such as participants:ronnie@contoso.com expands to participants:ronnie@contoso.com OR participants:ronnie OR participants:"Ronald Nelson" OR participants:"<LegacyExchangeDN>".

若要阻止收件人展开, (电子邮件地址) 添加通配符,并使用缩减域名;例如, participants:"ronnie@contoso*" 请务必用双引号将电子邮件地址括起来。To prevent recipient expansion, add a wild card character (asterisk) to the end of the email address and use a reduced domain name; for example, participants:"ronnie@contoso*" Be sure to surround the email address with double quotation marks.

但是,请注意,在搜索查询中阻止收件人展开可能会导致搜索结果中未返回相关项目。However, be aware that preventing recipient expansion in the search query may result in relevant items not being returned in the search results. Exchange 中的电子邮件可以在收件人字段中使用不同的文本格式进行保存。Email messages in Exchange can be saved with different text formats in the recipient fields. 收件人展开旨在帮助通过返回可能包含不同文本格式的邮件来缓解这一情况。Recipient expansion is intended to help mitigate this fact by returning messages that may contain different text formats. 因此,阻止收件人展开可能会导致搜索查询不返回与调查相关的所有项目。So preventing recipient expansion may result in the search query not returning all items that may be relevant to your investigation.

备注

如果需要检查或减少由于收件人展开而由搜索查询返回的项目,请考虑使用高级电子数据展示。If you need to review or reduce the items returned by a search query due to recipient expansion, consider using Advanced eDiscovery. 您可以搜索利用收件人展开 (的邮件,) 审阅集,然后使用审阅集查询或筛选器查看或缩小结果范围。You can search for messages (taking advantage of recipient expansion), add them to a review set, and then use review set queries or filters to review or narrow the results. 有关详细信息,请参阅收集案例的数据和查询审阅集内的数据For more information, see Collect data for a case and Query the data in a review set.

可搜索网站属性Searchable site properties

下表列出了一些 SharePoint 和 OneDrive for Business 属性,这些属性可通过使用 Microsoft 365 合规中心中的电子数据展示搜索工具或 New-ComplianceSearchSet-ComplianceSearch cmdlet 进行搜索。The following table lists some of the SharePoint and OneDrive for Business properties that can be searched by using the eDiscovery search tools in the Microsoft 365 compliance Center or by using the New-ComplianceSearch or the Set-ComplianceSearch cmdlet. 该表包含每个属性的 property:value 语法示例,以及示例返回的搜索结果的说明。The table includes an example of the property:value syntax for each property and a description of the search results returned by the examples.

有关可搜索的 SharePoint 属性的完整列表,请参阅 SharePoint 中的已爬网 和托管属性概述For a complete list of SharePoint properties that can be searched, see Overview of crawled and managed properties in SharePoint. 可以 搜索"可 查询 "列中标记为 "是"的属性。Properties marked with a Yes in the Queryable column can be searched.

属性Property 属性描述Property description 示例Example 示例返回的搜索结果Search results returned by the examples
作者Author 作者字段位于 Office 文档中,复制文档后仍然存在其中。The author field from Office documents, which persists if a document is copied. 例如,如果用户创建一个文档,并将其通过电子邮件发送给随后将其上载到 SharePoint 的其他人,该文档仍将保留原始作者。For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author. 请务必使用用户的 显示名称 此属性。Be sure to use the user's display name for this property. author:"Garth Fort" 所有文档的作者均为 Garth Fort。All documents that are authored by Garth Fort.
ContentTypeContentType 项的 SharePoint 内容类型,如项、文档或视频。The SharePoint content type of an item, such as Item, Document, or Video. contenttype:document 将返回所有文档。All documents would be returned.
CreatedCreated 创建项目的日期。The date that an item is created. created>=06/01/2016 在 2016 年 6 月 1 日当天或之后创建的所有项目。All items created on or after June 1, 2016.
CreatedByCreatedBy 创建或上载项目的人员。The person that created or uploaded an item. 请务必使用用户的 显示名称 此属性。Be sure to use the user's display name for this property. createdby:"Garth Fort" 所有项目均由 Garth Fort 创建或上载。All items created or uploaded by Garth Fort.
DetectedLanguageDetectedLanguage 项目的语言。The language of an item. detectedlanguage:english 所有项目均为英语。All items in English.
DocumentLinkDocumentLink SharePoint () OneDrive for Business 网站上特定文件夹的路径 URL。The path (URL) of a specific folder on a SharePoint or OneDrive for Business site. 如果使用此属性,请确保搜索指定文件夹所在的网站。If you use this property, be sure to search the site that the specified folder is located in.
若要返回位于为 documentlink 属性指定的文件夹的子文件夹中的项目,您必须将 /添加到指定文件夹的 URL 中; * 例如, documentlink: "https://contoso.sharepoint.com/Shared Documents/*"To return items located in subfolders of the folder that you specify for the documentlink property, you have to add /* to the URL of the specified folder; for example, documentlink: "https://contoso.sharepoint.com/Shared Documents/*"

有关搜索 documentlink 属性和使用脚本获取特定网站上文件夹的文档链接 URL 的信息,请参阅对目标集合使用内容 搜索For more information about searching for the documentlink property and using a script to obtain the documentlink URLs for folders on a specific site, see Use Content search for targeted collections.
documentlink:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/Documents/Private"
documentlink:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/Documents/Shared with Everyone/*" AND filename:confidential
第一个示例返回指定 OneDrive for Business 文件夹中的所有项目。The first example returns all items in the specified OneDrive for Business folder. 第二个示例返回指定网站文件夹中的文档 (文件名中包含) "机密"一词的所有子文件夹。The second example returns documents in the specified site folder (and all subfolders) that contain the word "confidential" in the file name.
FileExtensionFileExtension 文件的扩展名;例如,docx、one、pptx 或 xlsx。The extension of a file; for example, docx, one, pptx, or xlsx. fileextension:xlsx Excel 2007 (及更高版本的所有 Excel) All Excel files (Excel 2007 and later)
FileNameFileName 文件的名称。The name of a file. filename:"marketing plan"
filename:estimate
第一个示例返回标题中具有完全匹配短语“marketing plan”的文件。第二个示例返回文件名中具有单词“estimate”的文件。The first example returns files with the exact phrase "marketing plan" in the title. The second example returns files with the word "estimate" in the file name.
LastModifiedTimeLastModifiedTime 项目的上次更改日期。The date that an item was last changed. lastmodifiedtime>=05/01/2016
lastmodifiedtime>=05/10/2016 AND lastmodifiedtime<=06/1/2016
第一个示例返回在 2016 年 5 月 1 日当天或之后更改的项目。The first example returns items that were changed on or after May 1, 2016. 第二个示例返回 2016 年 5 月 1 日到 2016 年 6 月 1 日之间更改的项目。The second example returns items changed between May 1, 2016 and June 1, 2016.
ModifiedByModifiedBy 上次更改项目的人员。The person who last changed an item. 请务必使用用户的 显示名称 此属性。Be sure to use the user's display name for this property. modifiedby:"Garth Fort" 由 Garth Fort 最后更改的所有项目。All items that were last changed by Garth Fort.
路径Path SharePoint () OneDrive for Business 网站中特定网站的路径 URL。The path (URL) of a specific site in a SharePoint or OneDrive for Business site.

若要仅返回指定网站中的项目,您必须将尾随添加到 URL 的 / 末尾;例如, path: "https://contoso.sharepoint.com/sites/international/"To return items only from the specified site, you have to add the trailing / to the end of the URL; for example, path: "https://contoso.sharepoint.com/sites/international/"

若要返回在 path 属性中指定的网站文件夹中的项目,您必须添加到 URL 的 /* 末尾;例如, path: "https://contoso.sharepoint.com/Shared Documents/*"To return items located in folders in the site that you specify in the path property, you have to add /* to the end of the URL; for example, path: "https://contoso.sharepoint.com/Shared Documents/*"

注意: 使用 属性搜索 OneDrive 位置不会在搜索结果中返回媒体 Path .png、.tiff 或 .wav 文件。Note: Using the Path property to search OneDrive locations won't return media files, such as .png, .tiff, or .wav files, in the search results. 在搜索查询中使用不同的网站属性来搜索 OneDrive 文件夹中的媒体文件。Use a different site property in your search query to search for media files in OneDrive folders.
path:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/"
path:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/*" AND filename:confidential
第一个示例返回指定 OneDrive for Business 网站中的所有项目。The first example returns all items in the specified OneDrive for Business site. 第二个示例返回指定网站 (中的文档和网站) 文件名中包含"机密"一词的文件夹。The second example returns documents in the specified site (and folders in the site) that contain the word "confidential" in the file name.
SharedWithUsersOWSUserSharedWithUsersOWSUser 已与指定用户共享并显示在用户的 OneDrive for Business 网站中的"与我共享"页面上的文档。Documents that have been shared with the specified user and displayed on the Shared with me page in the user's OneDrive for Business site. 这些是组织中其他人已与指定用户显式共享的文档。These are documents that have been explicitly shared with the specified user by other people in your organization. 导出与使用 SharedWithUsersOWSUser 属性的搜索查询匹配的文档时,文档从与指定用户共享文档的用户的原始内容位置导出。When you export documents that match a search query that uses the SharedWithUsersOWSUser property, the documents are exported from the original content location of the person who shared the document with the specified user. 有关详细信息,请参阅搜索 在组织中共享的网站内容For more information, see Searching for site content shared within your organization. sharedwithusersowsuser:garthf
sharedwithusersowsuser:"garthf@contoso.com"
这两个示例都返回已与 Garth Fort 显式共享且显示在 Garth Fort 的 OneDrive for Business 帐户的"共享我"页面上的所有内部文档。Both examples return all internal documents that have been explicitly shared with Garth Fort and that appear on the Shared with me page in Garth Fort's OneDrive for Business account.
SiteSite 组织中站点或站点组的 URL。The URL of a site or group of sites in your organization. site:"https://contoso-my.sharepoint.com"
site:"https://contoso.sharepoint.com/sites/teams"
第一个示例返回组织中所有用户的 OneDrive for Business 网站中的项目。The first example returns items from the OneDrive for Business sites for all users in the organization. 第二个示例返回所有团队网站中的项目。The second example returns items from all team sites.
SizeSize 邮件的大小(以字节为单位)。The size of an item, in bytes. size>=1
size:1..10000
第一个示例返回大于 1 字节的项目。第二个示例返回大小介于 1 到 10,000 字节之间的项目。The first example returns items larger than 1 byte. The second example returns items from 1 through 10,000 bytes in size.
标题Title 文档的标题。The title of the document. Title 属性是在文档中指定的元数据Microsoft Office元数据。The Title property is metadata that's specified in Microsoft Office documents. 它不同于文档的文件名。It's different from the file name of the document. title:"communication plan" Office 文档的 Title 元数据属性中包含短语“communication plan”的任何文档。Any document that contains the phrase "communication plan" in the Title metadata property of an Office document.

可搜索联系人属性Searchable contact properties

下表列出了已编制索引且可以使用电子数据展示搜索工具进行搜索的联系人属性。The following table lists the contact properties that are indexed and that you can search for using eDiscovery search tools. 这些属性可供用户为位于用户邮箱的个人通讯簿中的联系人 (也称为个人联系人) 配置。These are the properties that are available for users to configure for the contacts (also called personal contacts) that are located in the personal address book of a user's mailbox. 若要搜索联系人,可以选择要搜索的邮箱,然后在关键字查询中使用一个或多个联系人属性。To search for contacts, you can select the mailboxes to search and then use one or more contact properties in the keyword query.

提示

若要搜索包含空格或特殊字符的值,请使用双引号 (" ") 包含短语;例如, businessaddress:"123 Main Street"To search for values that contain spaces or special characters, use double quotation marks (" ") to contain the phrase; for example, businessaddress:"123 Main Street".

属性Property 属性描述Property description
BusinessAddressBusinessAddress "商务地址 "属性中的 地址。The address in the Business Address property. 该属性在联系人属性 页上也称为 "工作地址"。The property is also called the Work address on the contact properties page.
BusinessPhoneBusinessPhone 任何商务电话号码 属性中 的电话号码。The phone number in any of the Business Phone number properties.
CompanyNameCompanyName Company 属性 的名称。The name in the Company property.
部门Department Department 属性 的名称。The name in the Department property.
DisplayNameDisplayName 联系人显示名称。The display name of the contact. 这是联系人的 "全名" 属性中的名称。This is the name in the Full Name property of the contact.
EmailAddressEmailAddress 联系人的任何电子邮件地址属性的地址。The address for any email address property for the contact. 用户可以为联系人添加多个电子邮件地址。Users can add multiple email addresses for a contact. 使用此属性将返回与联系人的任何电子邮件地址匹配的联系人。Using this property would return contacts that match any of the contact's email addresses.
FileAsFileAs File 作为 属性。The File as property. 此属性用于指定联系人在用户的联系人列表中的列出方式。This property is used to specify how the contact is listed in the user's contact list. 例如,联系人可以列为 FirstName,LastNameLastName,FirstNameFor example, a contact could be listed as FirstName,LastName or LastName,FirstName.
GivenNameGivenName First Name 属性 的名称。The name in the First Name property.
HomeAddressHomeAddress 任何家庭地址 属性中的 地址。The address in any of the Home address properties.
HomePhoneHomePhone 任何家庭电话号码 属性中 的电话号码。The phone number in any of the Home phone number properties.
IMAddressIMAddress IM 地址属性,通常为用于即时消息的电子邮件地址。The IM address property, which is typically an email address used for instant messaging.
MiddleNameMiddleName Middle name 属性中的名称。The name in the Middle name property.
MobilePhoneMobilePhone 移动电话号码 属性 中的电话号码。The phone number in the Mobile phone number property.
NicknameNickname Nickname 属性 的名称。The name in the Nickname property.
OfficeLocationOfficeLocation Office 或 Office 位置属性的值The value in Office or Office location property.
OtherAddressOtherAddress Other address 属性的值。The value for the Other address property.
SurnameSurname Last name 属性中的名称。The name in the Last name property.
标题Title Job title 属性 的标题。The title in the Job title property.

可搜索敏感数据类型Searchable sensitive data types

可以使用 Microsoft 365 合规中心中的电子数据展示搜索工具搜索存储在 SharePoint 和 OneDrive for Business 网站上文档中的敏感数据,如信用卡号或社会保险号。You can use eDiscovery search tools in the Microsoft 365 compliance center to search for sensitive data, such as credit card numbers or social security numbers, that is stored in documents on SharePoint and OneDrive for Business sites. 为此,可以在关键字查询 (敏感信息) 属性和名称或 SensitiveType ID。You can do this by using the SensitiveType property and the name (or ID) of a sensitive information type in a keyword query. 例如,查询 SensitiveType:"Credit Card Number" 返回包含信用卡号的文档。For example, the query SensitiveType:"Credit Card Number" returns documents that contain a credit card number. 查询 SensitiveType:"U.S. Social Security Number (SSN)" 返回包含美国社会保险号的文档。The query SensitiveType:"U.S. Social Security Number (SSN)" returns documents that contain a U.S. social security number.

若要查看可搜索的敏感信息类型的列表,请转到 Microsoft 365合规中心内的数据 > 分类敏感信息类型。To see a list of the sensitive information types that you can search for, go to Data classifications > Sensitive info types in the Microsoft 365 compliance center. 或者,您可以使用安全与合规中心 PowerShell & Get-DlpSensitiveInformationType cmdlet 来显示敏感信息类型列表。Or you can use the Get-DlpSensitiveInformationType cmdlet in Security & Compliance Center PowerShell to display a list of sensitive information types.

有关使用 属性创建查询的信息,请参阅创建查询 SensitiveType 以查找网站上存储的敏感数据For more information about creating queries using the SensitiveType property, see Form a query to find sensitive data stored on sites.

搜索敏感数据类型的限制Limitations for searching sensitive data types

  • 若要搜索自定义敏感信息类型,您必须在 属性中指定敏感信息类型的 SensitiveType ID。To search for custom sensitive information types, you have to specify the ID of the sensitive information type in the SensitiveType property. 使用自定义敏感信息类型的名称 (如上一节中内置敏感信息类型的示例所示,) 返回任何结果。Using the name of a custom sensitive information type (as shown in the example for built-in sensitive information types in the previous section) will return no results. 使用合规 中心 (中"敏感信息类型"页面上的"发布者"列或 PowerShell) 中的 Publisher 属性区分内置和自定义敏感信息类型。Use the Publisher column on the Sensitive info types page in the compliance center (or the Publisher property in PowerShell) to differentiate between built-in and custom sensitive information types. 内置的敏感数据类型具有 Microsoft Corporation Publisher 属性的值。Built-in sensitive data types have a value of Microsoft Corporation for the Publisher property.

    若要显示组织中自定义敏感数据类型的名称和 ID,请运行安全与合规中心 PowerShell &命令:To display the name and ID for the custom sensitive data types in your organization, run the following command in Security & Compliance Center PowerShell:

    Get-DlpSensitiveInformationType | Where-Object {$_.Publisher -ne "Microsoft Corporation"} | FT Name,Id
    

    然后,可以使用搜索属性中的 ID 返回包含自定义敏感数据类型 SensitiveType 的文档;例如, SensitiveType:7e13277e-6b04-3b68-94ed-1aeb9d47de37Then you can use the ID in the SensitiveType search property to return documents that contain the custom sensitive data type; for example, SensitiveType:7e13277e-6b04-3b68-94ed-1aeb9d47de37

  • 你不能使用敏感信息类型和搜索属性来搜索 Exchange Online 邮箱中的敏感数据 SensitiveTypeYou can't use sensitive information types and the SensitiveType search property to search for sensitive data at-rest in Exchange Online mailboxes. 这包括一对一聊天消息、一对 N 组聊天消息和 Microsoft Teams 中的团队频道对话,因为所有这些内容都存储在邮箱中。This includes 1:1 chat messages, 1:N group chat messages, and team channel conversations in Microsoft teams because all of this content is stored in mailboxes. 但是,您可以使用 DLP 策略 (数据丢失) 保护传输中的敏感数据。However, you can use data loss prevention (DLP) policies to protect sensitive email data in transit. 有关详细信息,请参阅 了解数据丢失 防护和 搜索和查找个人数据For more information, see Learn about data loss prevention and Search for and find personal data.

搜索运算符Search operators

布尔搜索运算符(如 AND、ORNOT) 可帮助您通过包括或排除搜索查询中的特定词来定义更精确的搜索。Boolean search operators, such as AND, OR, and NOT, help you define more-precise searches by including or excluding specific words in the search query. 其他技术(如使用属性运算符 (或) 、引号、括号和通配符)可帮助您优化 >= .. 搜索查询。Other techniques, such as using property operators (such as >= or ..), quotation marks, parentheses, and wildcards, help you refine a search query. 下表列出了可用于缩小或扩大搜索结果范围运算符。The following table lists the operators that you can use to narrow or broaden search results.

运算符Operator 用法Usage 说明Description
ANDAND keyword1 AND keyword2keyword1 AND keyword2 返回包含所有指定关键字或表达式 property:value 的项。Returns items that include all of the specified keywords or property:value expressions. 例如,将返回 Ann Beebe 发送的所有邮件,这些邮件的主题行中包含 from:"Ann Beebe" AND subject:northwind 单词 northwind。For example, from:"Ann Beebe" AND subject:northwind would return all messages sent by Ann Beebe that contained the word northwind in the subject line. 22
+ keyword1 + keyword2 + keyword3keyword1 + keyword2 + keyword3 Returns items that contain either keyword2 or keyword3 and that also contain keyword1. Therefore, this example is equivalent to the query (keyword2 OR keyword3) AND keyword1. Returns items that contain either keyword2 or keyword3 and that also contain keyword1. Therefore, this example is equivalent to the query (keyword2 OR keyword3) AND keyword1.
查询 (符号后使用空格) 与使用 AND 运算符 keyword1 + keyword2 + 不同。 The query keyword1 + keyword2 (with a space after the + symbol) isn't the same as using the AND operator. This query would be equivalent to "keyword1 + keyword2" and return items with the exact phase "keyword1 + keyword2".This query would be equivalent to "keyword1 + keyword2" and return items with the exact phase "keyword1 + keyword2".
OROR keyword1 OR keyword2keyword1 OR keyword2 返回包含一个或多个指定关键字或表达式 property:value 的项目。Returns items that include one or more of the specified keywords or property:value expressions. 22
NOTNOT keyword1 NOT keyword2keyword1 NOT keyword2
NOT from:"Ann Beebe"NOT from:"Ann Beebe"
NOT kind:imNOT kind:im
排除关键字或表达式指定的 property:value 项。Excludes items specified by a keyword or a property:value expression. 第二个示例排除 Ann Beebe 发送的邮件。In the second example excludes messages sent by Ann Beebe. 第三个示例排除任何即时消息对话,Skype for Business保存到"对话历史记录"邮箱文件夹的即时消息对话。The third example excludes any instant messaging conversations, such as Skype for Business conversations that are saved to the Conversation History mailbox folder. 22
- keyword1 -keyword2keyword1 -keyword2 NOT 运算符作用相同。The same as the NOT operator. 因此,此查询将返回包含 keyword1 的项,并排除包含 的项 keyword2So this query returns items that contain keyword1 and would exclude items that contain keyword2.
NEARNEAR keyword1 NEAR(n) keyword2keyword1 NEAR(n) keyword2 返回包含邻近字词的项目,其中 n 表示间隔的字词数量。Returns items with words that are near each other, where n equals the number of words apart. 例如, best NEAR(5) worst 返回单词"worst"在五个单词"best"之内的任何项。For example, best NEAR(5) worst returns any item where the word "worst" is within five words of "best". 如果您没有指定数目,则默认距离是 8 个字词。If no number is specified, the default distance is eight words. 22
:: property:valueproperty:value 语法中的冒号 (:) 指定要搜索的属性的值 property:value 包含指定值。The colon (:) in the property:value syntax specifies that the value of the property being searched for contains the specified value. 例如, recipients:garthf@contoso.com 返回发送至 garthf@contoso.com 的所有邮件。For example, recipients:garthf@contoso.com returns any message sent to garthf@contoso.com.
= property=valueproperty=value 与 : 运算符相同The same as the : operator.
< property<valueproperty<value 表示正在搜索的属性小于指定的值。1Denotes that the property being searched is less than the specified value. 1
> property>valueproperty>value 表示正在搜索的属性大于指定的值。1Denotes that the property being searched is greater than the specified value.1
<= property<=valueproperty<=value 表示正在搜索的属性小于等于指定的值。1Denotes that the property being searched is less than or equal to a specific value.1
>= property>=valueproperty>=value 表示正在搜索的属性大于等于指定的值。1Denotes that the property being searched is greater than or equal to a specific value.1
.... property:value1..value2property:value1..value2 表示正在搜索的属性大于等于 value1,小于等于 value2。1Denotes that the property being searched is greater than or equal to value1 and less than or equal to value2.1
" "" " "fair value""fair value"
subject:"Quarterly Financials"subject:"Quarterly Financials"
使用双引号 (" ") 搜索关键字和搜索查询中的确切短语 property:value 或术语。Use double quotation marks (" ") to search for an exact phrase or term in keyword and property:value search queries.
* cat*cat*
subject:set*subject:set*
前缀通配符(其中星号放在单词的末尾)用于在关键字或 property:value 查询中搜索零个或多个匹配字符。Prefix wildcard searches (where the asterisk is placed at the end of a word) match for zero or more characters in keywords or property:value queries. 例如,返回包含单词 set、setup 和 setting (以及文档标题中以 title:set* "set") 的其他单词的文档。For example, title:set* returns documents that contain the word set, setup, and setting (and other words that start with "set") in the document title.

注意: 只能使用前缀通配符搜索;例如 ,cat * _ 或 _ set * 。后缀 ( * cat ) , (c t *) , 不支持 cat (* 子 * 字符串) 搜索。Note: You can use only prefix wildcard searches; for example, cat*_ or _* set*. Suffix searches (*cat* ), infix searches (c*t), and substring searches (*cat***) are not supported.

此外,添加一个 ( \。Also, adding a period ( . ) 前缀通配符搜索将更改返回的结果。) to a prefix wild card search will change the results that are returned. 这是因为句点被视为一个结束词。That's because a period is treated as a stop word. 例如,搜索 cat * _ 并搜索 _ cat。 * 将返回不同的结果。For example, searching for **cat*_ and searching for _* cat.** will return different results. 建议不要将一个时间段用于前缀通配符搜索。We recommend not using a period in a prefix wild card search.
( )( ) (fair OR free) AND (from:contoso.com)(fair OR free) AND (from:contoso.com)
(IPO OR initial) AND (stock OR shares)(IPO OR initial) AND (stock OR shares)
(quarterly financials)(quarterly financials)
括号将布尔短语、 property:value 项目和关键字结合到一起。例如, (quarterly financials) 返回包含单词"quarterly"和"financials"的项目。 Parentheses group together Boolean phrases, property:value items, and keywords. For example, (quarterly financials) returns items that contain the words quarterly and financials.

备注

1 为含有日期或数值的属性使用此运算符。1 Use this operator for properties that have date or numeric values.
2 布尔搜索运算符必须为大写形式;例如, AND2 Boolean search operators must be uppercase; for example, AND. 如果使用小写运算符(如 和 ), 它将在搜索查询中视为关键字。If you use a lowercase operator, such as and, it will be treated as a keyword in the search query.

搜索条件Search conditions

您可以向搜索查询添加条件,以缩小搜索范围并返回更精确的结果集。You can add conditions to a search query to narrow a search and return a more refined set of results. 每个条件向开始搜索时创建和运行的 KQL 搜索查询添加一个子句。Each condition adds a clause to the KQL search query that is created and run when you start the search.

通用属性的条件 Conditions for common properties

邮件属性的条件Conditions for mail properties

文档属性的条件Conditions for document properties

与条件一起使用的运算符Operators used with conditions

使用条件的准则Guidelines for using conditions

示例Examples of using conditions in search queries

通用属性的条件Conditions for common properties

在同一搜索中同时搜索邮箱和网站时,使用通用属性创建一个条件。Create a condition using common properties when searching mailboxes and sites in the same search. 下表列出了在添加条件时可使用的可用属性。The following table lists the available properties to use when adding a condition.

ConditionCondition 说明Description
日期Date 对于电子邮件而言,是指收件人收到邮件的日期,或发件人发送邮件的日期。For email, the date a message was received by a recipient or sent by the sender. 对于文档,是上次修改文档的日期。For documents, the date a document was last modified.
发件人/作者Sender/Author 对于电子邮件而言,是指发送邮件的人。For email, the person who sent a message. 对于文档而言,是指从 Office 文档的作者字段中引用的人员。For documents, the person cited in the author field from Office documents. 你可以键入多个名称,用逗号分隔。You can type more than one name, separated by commas. 通过 OR 运算符在逻辑上连接两个或多个值。Two or more values are logically connected by the OR operator.
大小 (以字节为单位) Size (in bytes) 对于电子邮件和文档而言,是项目的大小(以字节为单位)。For both email and documents, the size of the item (in bytes).
主题/标题Subject/Title 对电子邮件而言,是指邮件的主题行中的文本。For email, the text in the subject line of a message. 对于文档而言,是指文档的标题。For documents, the title of the document. 如前所述,Title 属性是在文档中指定的Microsoft Office元数据。As previously explained, the Title property is metadata specified in Microsoft Office documents. 您可以键入多个主题/标题的名称,用逗号分隔。You can type the name of more than one subject/title, separated by commas. 通过 OR 运算符在逻辑上连接两个或多个值。Two or more values are logically connected by the OR operator.
保留标签Retention label 对于电子邮件和文档,已由自动标签策略或用户手动分配的保留标签自动分配给邮件和文档的保留标签。For both email and documents, retention labels that have been assigned to messages and documents automatically by auto-label policies or retention labels that have been manually assigned by users. 保留标签用于对电子邮件和文档进行分类,以用于信息治理,并基于标签定义的设置强制执行保留规则。Retention labels are used to classify email and documents for information governance and enforce retention rules based on the settings defined by the label. 可以键入部分保留标签名称并使用通配符或键入完整标签名称。You can type part of the retention label name and use a wildcard or type the complete label name. 有关保留标签详细信息,请参阅 了解保留策略和保留标签For more information about retention labels, see Learn about retention policies and retention labels.

邮件属性的条件Conditions for mail properties

搜索邮箱或公用文件夹时使用邮件属性创建条件。Create a condition using mail properties when searching mailboxes or public folders. 下表列出了可以用于条件的电子邮件属性。The following table lists the email properties that you can use for a condition. 这些属性是之前描述的电子邮件属性的子集。These properties are a subset of the email properties that were previously described. 为了方便起见,将重复这些说明。These descriptions are repeated for your convenience.

ConditionCondition 说明Description
邮件类型Message kind 要搜索的邮件类型。The message type to search. 此属性与“Kind”电子邮件属性相同。This is the same property as the Kind email property. 可能的值:Possible values:

联系人contacts
文档docs
电子邮件email
externaldataexternaldata
传真faxes
即时消息im
日志journals
会议meetings
microsoftteamsmicrosoftteams
注释notes
公告posts
RSS 源rssfeeds
任务tasks
语音邮件voicemail
参与者Participants 电子邮件中的"所有人员"字段。All the people fields in an email message. 这些字段为 From、To、Cc 和 Bcc。These fields are From, To, Cc, and Bcc.
类型Type 电子邮件项目的邮件类属性。The message class property for an email item. 此属性与 ItemClass 电子邮件属性相同。This is the same property as the ItemClass email property. 它还为多值条件。It's also a multi-value condition. 因此,若要选择多个邮件类,请按住 Ctrl 键,然后单击下拉列表中要添加到条件的两个或多个邮件类。So to select multiple message classes, hold the CTRL key and then click two or more message classes in the drop-down list that you want to add to the condition. 在列表中选择的每个邮件类将在逻辑上由相应的搜索查询中的 OR 运算符进行连接。Each message class that you select in the list will be logically connected by the OR operator in the corresponding search query.
有关 Exchange 使用的邮件类 (及其相应的邮件类 ID) 以及您可以在"邮件类"列表中选择的邮件类列表,请参阅项目类型和邮件类For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the Message class list, see Item Types and Message Classes.
接收时间Received 收件人接收电子邮件的日期。此属性与“Received”电子邮件属性相同。The date that an email message was received by a recipient. This is the same property as the Received email property.
收件人Recipients 电子邮件中所有收件人字段。All recipient fields in an email message. 这些字段为"To"、Cc 和 Bcc。These fields are To, Cc, and Bcc.
发件人Sender 电子邮件的发件人。The sender of an email message.
SentSent 发件人发送电子邮件的日期。The date that an email message was sent by the sender. 此属性与“Sent”电子邮件属性相同。This is the same property as the Sent email property.
SubjectSubject 电子邮件主题行中的文本。The text in the subject line of an email message.
To "收件人"字段中电子邮件的收件人。The recipient of an email message in the To field.

文档属性的条件Conditions for document properties

在 SharePoint 和 OneDrive for Business 网站上搜索文档时,使用文档属性创建条件。Create a condition using document properties when searching for documents on SharePoint and OneDrive for Business sites. 下表列出了可以用于条件的文档属性。The following table lists the document properties that you can use for a condition. 这些属性是之前描述的网站属性的子集。These properties are a subset of the site properties that were previously described. 为了方便起见,将重复这些说明。These descriptions are repeated for your convenience.

ConditionCondition 说明Description
作者Author 作者字段位于 Office 文档中,复制文档后仍然存在其中。The author field from Office documents, which persists if a document is copied. 例如,如果用户创建一个文档,并将其通过电子邮件发送给随后将其上载到 SharePoint 的其他人,该文档仍将保留原始作者。For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author.
标题Title 文档的标题。The title of the document. Title 属性是 Office 文档中指定的元数据。The Title property is metadata that's specified in Office documents. 它不同于文档的文件名。It's different than the file name of the document.
CreatedCreated 创建文档的日期。The date that a document is created.
上次修改时间Last modified 上次修改文档的日期。The date that a document was last changed.
文件类型File type 文件的扩展名;例如,docx、one、pptx 或 xlsx。The extension of a file; for example, docx, one, pptx, or xlsx. 此属性与 FileExtension 网站属性相同。This is the same property as the FileExtension site property.

与条件一起使用的运算符Operators used with conditions

当您添加一个条件时,您可以选择与该条件的属性类型相关的运算符。下表描述了与条件一起使用的运算符,并列出了在搜索查询中使用的等效项。When you add a condition, you can select an operator that is relevant to type of property for the condition. The following table describes the operators that are used with conditions and lists the equivalent that is used in the search query.

运算符Operator 查询等效项Query equivalent 说明Description
段后After property>date 使用日期条件。返回在指定日期后发送、接收或修改的项。 Used with date conditions. Returns items that were sent, received, or modified after the specified date.
BeforeBefore property<date 使用日期条件。返回在指定日期前发送、接收或修改的项。Used with date conditions. Returns items that were sent, received, or modified before the specified date.
BetweenBetween date..date 使用日期和大小条件。Use with date and size conditions. 当使用日期条件时,返回在指定的日期范围内发送、接收或修改的项。When used with a date condition, returns items there were sent, received, or modified within the specified date range. 当使用大小条件时,返回大小在指定范围内的项。When used with a size condition, returns items whose size is within the specified range.
包含任意Contains any of (property:value) OR (property:value) 与指定字符串值的属性条件一起使用。Used with conditions for properties that specify a string value. 返回包含一个或多个指定字符串值任何部分的项目。Returns items that contain any part of one or more specified string values.
不包含任何Doesn't contain any of -property:value
NOT property:value
与指定字符串值的属性条件一起使用。返回不包含指定字符串值任何部分的项目。Used with conditions for properties that specify a string value. Returns items that don't contain any part of the specified string value.
不等于任何Doesn't equal any of -property=value
NOT property=value
与指定字符串值的属性条件一起使用。返回不包含特定字符串的项目。Used with conditions for properties that specify a string value. Returns items that don't contain the specific string.
等于Equals size=value 返回等于指定大小的项目。1Returns items that are equal to the specified size.1
等于任何Equals any of (property=value) OR (property=value) 与指定字符串值的属性条件一起使用。返回完全匹配一个或多个指定字符串值的项目。Used with conditions for properties that specify a string value. Returns items that are an exact match of one or more specified string values.
Greater size>value 返回指定属性大于指定值的项目。1Returns items where the specified property is greater than the specified value.1
大于或等于Greater or equal size>=value 返回指定属性大于或等于指定值的项目。1Returns items where the specified property is greater than or equal to the specified value.1
LessLess size<value 返回大于或等于特定值的项。1Returns items that are greater than or equal to the specific value.1
小于或等于Less or equal size<=value 返回大于或等于特定值的项。1Returns items that are greater than or equal to the specific value.1
不等于Not equal size<>value 返回不等于指定大小的项目。1Returns items that don't equal the specified size.1

备注

1 此运算符仅适用于使用 Size 属性的条件。1 This operator is available only for conditions that use the Size property.

使用条件的准则Guidelines for using conditions

在使用搜索条件时,请牢记以下几点。Keep the following in mind when using search conditions.

  • 可通过使用 AND 运算符在逻辑上将条件连接至关键字查询(在关键字框中指定)。A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. 这意味着,项目必须满足关键字查询和要在结果中包括的条件。That means that items have to satisfy both the keyword query and the condition to be included in the results. 这就是条件如何帮助缩小结果范围的原理。This is how conditions help to narrow your results.

  • 如果将两个或多个唯一条件添加到搜索查询 (指定不同属性的条件,) AND 运算符在逻辑上 连接这些条件If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the AND operator. 这意味着仅返回满足所有条件(除了任何关键字查询以外)的项目。That means only items that satisfy all the conditions (in addition to any keyword query) are returned.

  • 如果您对相同属性添加多个条件,则使用 OR 运算符在逻辑上对这些条件进行连接。If you add more than one condition for the same property, those conditions are logically connected by the OR operator. 这意味着将返回满足关键字查询以及任何一个条件的项。That means items that satisfy the keyword query and any one of the conditions are returned. 因此,相同条件的组通过 OR 运算符彼此相连,然后唯一性条件集通过 AND 运算符彼此相连。So, groups of the same conditions are connected to each other by the OR operator and then sets of unique conditions are connected by the AND operator.

  • 如果添加多个值 (用逗号或分号分隔) 一个条件,则这些值由 OR 运算符连接。If you add multiple values (separated by commas or semi-colons) to a single condition, those values are connected by the OR operator. 这意味着如果这些项包含条件中指定的任何属性值,则返回这些项。That means items are returned if they contain any of the specified values for the property in the condition.

  • 使用关键字框和条件创建的搜索查询将显示在"搜索"页上所选搜索的详细信息窗格中。 The search query that is created by using the keywords box and conditions is displayed on the Search page, in the details pane for the selected search. 在查询中,表示法右侧的所有 (c:c) 内容都指示添加到查询的条件。In a query, everything to the right of the notation (c:c) indicates conditions that are added to the query.

  • 条件只将属性添加到搜索查询中,而不会添加运算符。Conditions only add properties to the search query; the don't add operators. 这就是详细信息窗格中显示的查询在表示法右侧不显示运算符 (c:c) 的原因。This is why the query displayed in the detail pane doesn't show operators to the right of the (c:c) notation. 执行查询时,KQL 会添加逻辑运算符(根据前面所述的规则)。KQL adds the logical operators (according to the previously explained rules) when the executing the query.

  • 您可以使用拖放控件重新排序条件的顺序。You can use the drag and drop control to resequence the order of conditions. 单击某个条件的控件,然后向上或向下移动它。Click on the control for a condition and move it up or down.

  • 如前所述,某些条件属性允许您键入多个值 (用分号分隔) 。As previously explained, some condition properties allow you to type multiple values (separated by semi-colons). 每个值都由 OR 运算符在逻辑上连接,结果为查询 (filetype:docx) OR (filetype:pptx) OR (filetype:xlsx)Each value is logically connected by the OR operator, and results in the query (filetype:docx) OR (filetype:pptx) OR (filetype:xlsx). 下图显示了具有多个值的条件的示例。The following illustration shows an example of a condition with multiple values.

    邮件必须匹配该规则的所有条件。如果需要匹配一个条件或另一个条件,请对每个条件使用不同的规则。例如,如果您要为带有附件的邮件和内容匹配某个模式的邮件添加相同的免责声明,请为每个条件创建一个规则。您可以轻松地复制规则。

    备注

    无法通过单击同一属性 (添加条件来 添加多个条件。You can't add multiple conditions (by clicking Add condition for the same property. 相反,您必须为条件提供多个值 (用分号分隔) ,如上一示例所示。Instead, you have to provide multiple values for the condition (separated by semi-colons), as shown in the previous example.

示例Examples of using conditions in search queries

以下示例显示具有条件的基于 GUI 的搜索查询版本、显示在选定搜索 ((也由 Get-ComplianceSearch cmdlet) 返回)的详细信息窗格中的搜索查询语法,以及相应的 KQL 查询的逻辑。The following examples show the GUI-based version of a search query with conditions, the search query syntax that is displayed in the details pane of the selected search (which is also returned by the Get-ComplianceSearch cmdlet), and the logic of the corresponding KQL query.

示例 1Example 1

此示例返回 SharePoint 和 OneDrive for Business 网站上包含信用卡号且上次修改时间在 2021 年 1 月 1 日之前的文档。This example returns documents on SharePoint and OneDrive for Business sites that contain a credit card number and were last modified before January 1, 2021.

GUIGUI

第一个搜索条件示例

搜索查询语法Search query syntax

SensitiveType:"Credit Card Number"(c:c)(lastmodifiedtime<2021-01-01)

搜索查询逻辑Search query logic

SensitiveType:"Credit Card Number" AND (lastmodifiedtime<2021-01-01)

请注意,在上一张屏幕截图中,搜索 UI 强调关键字查询和条件由 AND 运算符连接。Notice in the previous screenshot that the search UI reinforces that the keyword query and condition are connected by the AND operator.

示例 2Example 2

本示例返回包含关键字"report"的电子邮件项目或文档,这些项目或文档在 2021 年 4 月 1 日之前发送或创建,并且电子邮件的主题字段或文档的标题属性中包含单词"northwind"。This example returns email items or documents that contain the keyword "report", that were sent or created before April 1, 2021, and that contain the word "northwind" in the subject field of email messages or in the title property of documents. 查询不包括符合其他搜索条件的网页。The query excludes Web pages that meet the other search criteria.

GUIGUI

第二个搜索条件示例

搜索查询语法Search query syntax

report(c:c)(date<2021-04-01)(subjecttitle:"northwind")(-filetype:aspx)

搜索查询逻辑Search query logic

report AND (date<2021-04-01) AND (subjecttitle:"northwind") NOT (filetype:aspx)

示例 3Example 3

本示例返回在 2019 年 12 月 1 日至 2020 年 11 月 30 日之间发送且包含以"phone"或"smartphone"开始的单词的电子邮件或日历会议。This example returns email messages or calendar meetings that were sent between 12/1/2019 and 11/30/2020 and that contain words that start with "phone" or "smartphone".

GUIGUI

搜索条件示例三

搜索查询语法Search query syntax

phone* OR smartphone*(c:c)(sent=2019-12-01..2020-11-30)(kind="email")(kind="meetings")

搜索查询逻辑Search query logic

phone* OR smartphone* AND (sent=2029-12-01..2020-11-30) AND ((kind="email") OR (kind="meetings"))

特殊字符Special characters

某些特殊字符不包含在搜索索引中,因此不可搜索。Some special characters are not included in the search index and therefore are not searchable. 这还包括表示搜索查询中的搜索运算符的特殊字符。This also includes the special characters that represent search operators in the search query. 下面是在实际搜索查询中由空格替换或导致搜索错误的特殊字符的列表。Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error.

+ - = : ! @ # % ^ & ; _ / ? ( ) [ ] { }

搜索与外部用户共享的网站内容Searching for site content shared with external users

您还可以使用合规中心中的电子数据展示搜索工具搜索存储在 SharePoint 和 OneDrive for Business 网站上且已与组织外部人员共享的文档。You can also use eDiscovery search tools in the compliance center to search for documents stored on SharePoint and OneDrive for Business sites that have been shared with people outside of your organization. 这可以帮助你识别与组织外部人员共享的敏感信息或专有信息。This can help you identify sensitive or proprietary information that's being shared outside your organization. 您可以通过在关键字查询 ViewableByExternalUsers 中使用 属性来这样做。You can do this by using the ViewableByExternalUsers property in a keyword query. 此属性返回已使用下列共享方法之一与外部用户共享的文档或网站:This property returns documents or sites that have been shared with external users by using one of the following sharing methods:

  • 要求用户以经过身份验证的用户身份登录到组织的共享邀请。A sharing invitation that requires users to sign in to your organization as an authenticated user.

  • 匿名来宾链接,允许具有此链接的任何人无需经过身份验证即可访问资源。An anonymous guest link, which allows anyone with this link to access the resource without having to be authenticated.

下面是一些示例:Here are some examples:

  • 查询返回已与组织外部人员共享并包含信用卡号 ViewableByExternalUsers:true AND SensitiveType:"Credit Card Number" 的所有项目。The query ViewableByExternalUsers:true AND SensitiveType:"Credit Card Number" returns all items that have been shared with people outside your organization and contain a credit card number.

  • 查询 ViewableByExternalUsers:true AND ContentType:document AND site:"https://contoso.sharepoint.com/Sites/Teams" 返回组织中所有工作组网站上已与外部用户共享的文档列表。The query ViewableByExternalUsers:true AND ContentType:document AND site:"https://contoso.sharepoint.com/Sites/Teams" returns a list of documents on all team sites in the organization that have been shared with external users.

提示

搜索查询(如 ViewableByExternalUsers:true AND ContentType:document )可能在搜索结果中返回大量 .aspx 文件。A search query such as ViewableByExternalUsers:true AND ContentType:document might return a lot of .aspx files in the search results. 若要消除 (或其他类型的文件) ,可以使用 属性排除特定 FileExtension 文件类型;例如 ViewableByExternalUsers:true AND ContentType:document NOT FileExtension:aspxTo eliminate these (or other types of files), you can use the FileExtension property to exclude specific file types; for example ViewableByExternalUsers:true AND ContentType:document NOT FileExtension:aspx.

哪些内容视为与组织的外部人员共享的内容?What is considered content that is shared with people outside your organization? 通过发送共享邀请共享或在公共位置共享的组织的 SharePoint 和 OneDrive for Business 网站中的文档。Documents in your organization's SharePoint and OneDrive for Business sites that are shared by sending a sharing invitation or that are shared in public locations. 例如,下列用户活动会产生外部用户可以查看的内容:For example, the following user activities result in content that is viewable by external users:

  • 用户与组织外部的人员共享文件或文件夹。A user shares a file or folder with a person outside your organization.

  • 用户创建共享文件并将链接发送给组织外部的人员。A user creates and sends a link to a shared file to a person outside your organization. 此链接允许外部用户查看(或编辑)该文件。This link allows the external user to view (or edit) the file.

  • 用户向组织外部的人员发送共享邀请或来宾链接以查看(或编辑)共享文件。A user sends a sharing invitation or a guest link to a person outside your organization to view (or edit) a shared file.

使用 ViewableByExternalUsers 属性时的问题Issues using the ViewableByExternalUsers property

虽然属性表示文档或网站是否与外部用户共享的状态,但此属性确实存在一些注意事项,但 ViewableByExternalUsers 无法反映这一点。While the ViewableByExternalUsers property represents the status of whether a document or site is shared with external users, there are some caveats to what this property does and doesn't reflect. 在下列情况下,不会更新属性的值,并且使用此属性的搜索查询 ViewableByExternalUsers 的结果可能不准确。In the following scenarios, the value of the ViewableByExternalUsers property won't be updated, and the results of a search query that uses this property may be inaccurate.

  • 对共享策略的更改,例如为站点或组织关闭外部共享。Changes to sharing policy, such as turning off external sharing for a site or for the organization. 即使已撤消外部访问,属性仍将以前共享的文档显示为可从外部访问。The property will still show previously shared documents as being externally accessible even though external access might have been revoked.

  • 更改组成员身份,例如向 Microsoft 365 组或 Microsoft 365 安全组添加或删除外部用户。Changes to group membership, such as adding or removing external users to Microsoft 365 Groups or Microsoft 365 security groups. 对于组有权访问的项目,该属性不会自动更新。The property won't automatically be updated for items the group has access to.

  • 向收件人尚未接受邀请的外部用户发送共享邀请,因此尚无法访问内容。Sending sharing invitations to external users where the recipient hasn't accepted the invitation, and therefore doesn't yet have access to the content.

在这些情况下,在重新对网站或文档库进行重新绘制和重新索引之前,该属性不会 ViewableByExternalUsers 反映当前共享状态。In these scenarios, the ViewableByExternalUsers property won't reflect the current sharing status until the site or document library is recrawled and reindexed.

搜索在组织中共享的网站内容Searching for site content shared within your organization

如前所述,您可以使用 属性搜索组织中人员之间共享 SharedWithUsersOWSUser 的文档。As previously explained, you can use the SharedWithUsersOWSUser property so search for documents that have been shared between people in your organization. 当用户与组织内部的其他用户共享文件 (或文件夹) 时,共享文件的链接会显示在共享文件的用户的 OneDrive for Business帐户的"已共享我"页面上。When a person shares a file (or folder) with another user inside your organization, a link to the shared file appears on the Shared with me page in the OneDrive for Business account of the person who the file was shared with. 例如,若要搜索已与 Sara Davis 共享的文档,可以使用查询 SharedWithUsersOWSUser:"sarad@contoso.com"For example, to search for the documents that have been shared with Sara Davis, you can use the query SharedWithUsersOWSUser:"sarad@contoso.com". 如果导出此搜索的结果,将下载 (与 Sara 共享文档的人的内容位置) 原始文档。If you export the results of this search, the original documents (located in the content location of the person who shared the documents with Sara) will be downloaded.

使用 属性时,文档必须与特定用户显式共享,以在搜索结果中 SharedWithUsersOWSUser 返回。Documents must be explicitly shared with a specific user to be returned in search results when using the SharedWithUsersOWSUser property. 例如,当用户在 OneDrive 帐户中共享文档时,他们可以选择与组织) 内外的任何 (共享文档、仅与组织内部人员共享文档或与特定人员共享文档。For example, when a person shares a document in their OneDrive account, they have the option to share it with anyone (inside or outside the organization), share it only with people inside the organization, or share it with a specific person. 以下是 OneDrive 中的"共享 "窗口的 屏幕截图,其中显示了三个共享选项。Here's a screenshot of the Share window in OneDrive, that shows the three sharing options.

使用 SharedWithUsersOWSUser 属性的搜索查询仅返回与特定人员共享的文件

使用 属性的搜索查询 (,将仅) 使用"特定人员"共享的第三个选项共享 SharedWithUsersOWSUser 的文档。Only documents that are shared by using the third option (shared with Specific people) will be returned by a search query that uses the SharedWithUsersOWSUser property.

搜索 Skype for Business 对话Searching for Skype for Business conversations

可以使用以下关键字查询来专门搜索 Skype for Business 对话中的内容:You can use the following keyword query to specifically search for content in Skype for Business conversations:

kind:im

上一个搜索查询还返回来自 Microsoft Teams 的聊天。The previous search query also returns chats from Microsoft Teams. 为了防止这种情况,可以使用以下关键字查询将搜索结果缩小为仅包含 Skype for Business 对话:To prevent this, you can narrow the search results to include only Skype for Business conversations by using the following keyword query:

kind:im AND subject:conversation

前面的关键字查询不包括 Microsoft Teams 中的聊天,因为 Skype for Business 对话保存为电子邮件,主题行以单词"Conversation"开头。The previous keyword query excludes chats in Microsoft Teams because Skype for Business conversations are saved as email messages with a Subject line that starts with the word "Conversation".

若要搜索特定日期范围内发生的 Skype for Business 对话,请使用以下关键字查询:To search for Skype for Business conversations that occurred within a specific date range, use the following keyword query:

kind:im AND subject:conversation AND (received=startdate..enddate)

搜索的字符限制Character limits for searches

搜索 SharePoint 网站和 OneDrive 帐户的内容时,搜索查询的字符限制为 4,000 个字符。There is a 4,000 character limit for search queries when searching for content in SharePoint sites and OneDrive accounts.
下面是如何计算搜索查询中的字符总数:Here is how the total number of characters in the search query are calculated:

  • 关键字搜索查询查询中的 (包括用户和筛选器字段) 此限制计数。The characters in keyword search query (including both user and filter fields) count against this limit.

  • 任何位置属性中的字符 (例如要搜索的所有 SharePoint 网站或 OneDrive 位置的 URL,) 此限制计数。The characters in any location property (such as the URLs for all the SharePoint sites or OneDrive locations being searched) count against this limit.

  • 应用于运行搜索计数的用户的所有搜索权限筛选器中的字符数限制。The characters in all the search permissions filters that are applied to the user running the search count against the limit.

有关字符限制的信息,请参阅电子 数据展示搜索限制For more information about character limits, see eDiscovery search limits.

备注

4,000 个字符的限制适用于内容搜索、核心电子数据展示和高级电子数据展示。The 4,000 character limit applies to Content search, Core eDiscovery, and Advanced eDiscovery.

搜索提示和技巧Search tips and tricks

  • 关键字搜索不区分大小写。Keyword searches are not case-sensitive. 例如, catCAT 将返回相同的结果。For example, cat and CAT return the same results.

  • 布尔运算符 ANDORNOTNEAR 必须为大写。The Boolean operators AND, OR, NOT, and NEAR must be uppercase.

  • 两个关键字或两个 property:value 表达式之间的空格与使用 AND 相同。A space between two keywords or two property:value expressions is the same as using AND. 例如,返回 Sara Davis 发送 from:"Sara Davis" subject:reorganization 的所有邮件,这些邮件在主题行中包含单词重新组织。For example, from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis that contain the word reorganization in the subject line.

  • 使用与格式匹配的 property:value 语法。Use syntax that matches the property:value format. 值不区分大小写,并且它们不可以在运算符后留有空格。Values are not case-sensitive, and they can't have a space after the operator. 如果存在空格,则预期值为全文搜索。If there is a space, your intended value will be a full-text search. 例如 to: pilarp ,搜索"pilarp"作为关键字,而不是发送到 pilarp 的邮件。For example to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.

  • 在搜索收件人属性(如 To、From、Cc 或 Recipients)时,您可以使用 SMTP 地址、别名或显示名来表示收件人。例如,您可以使用 pilarp@contoso.com、pilarp 或"Pilar Pinilla"。When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar Pinilla".

  • 只能使用前缀通配符搜索;例如 ,cat * _ 或 _ set * 。后缀 ( * cat) , (c t t *) , 不支持 (* cat *) 搜索。You can use only prefix wildcard searches; for example, cat*_ or _* set*. Suffix searches (**cat), infix searches (c*t), and substring searches (***cat***) are not supported.

  • 在搜索属性时,如果 (多个单词) ,请使用双引号") "。When searching a property, use double quotation marks (" ") if the search value consists of multiple words. 例如 subject:budget Q1 ,返回主题行 中包含 budget 且在邮件中的任何位置或任意邮件属性中包含 Q1 的邮件。For example subject:budget Q1 returns messages that contain budget in the subject line and that contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1" 返回主题行中任意位置包含 budget Q1 的所有邮件。Using subject:"budget Q1" returns all messages that contain budget Q1 anywhere in the subject line.

  • 若要将使用某个属性值标记的内容从搜索结果中排除,请在属性名称前放置减号 (-)。To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. 例如,排除 Sara -from:"Sara Davis" Davis 发送的任何邮件。For example, -from:"Sara Davis" excludes any messages sent by Sara Davis.

  • 您可以根据邮件类型导出项目。You can export items based on message type. 例如,若要导出 Microsoft Teams 中的 Skype 对话和聊天,请使用语法 kind:imFor example, to export Skype conversations and chats in Microsoft Teams, use the syntax kind:im. 若要仅返回电子邮件,请使用 kind:emailTo return only email messages, you would use kind:email. 若要在 Microsoft Teams 中返回聊天、会议和通话,请使用 kind:microsoftteamsTo return chats, meetings, and calls in Microsoft Teams, use kind:microsoftteams.

  • 如前所述,在搜索网站时,当使用 属性仅返回指定网站中的项目时,您必须将尾随添加到 / URL path 的末尾。As previously explained, when searching sites you have to add the trailing / to the end of the URL when using the path property to return only items in a specified site. 如果不包括尾随,还将返回具有相似路径名称 / 的网站中的项目。If you don't include the trailing /, items from a site with a similar path name will also be returned. 例如,如果使用 path:sites/HelloWorld ,则也会返回名为 sites/HelloWorld_Eastsites/HelloWorld_West 的网站中的项目。For example, if you use path:sites/HelloWorld then items from sites named sites/HelloWorld_East or sites/HelloWorld_West would also be returned. 若要仅从 HelloWorld 网站返回项目,你必须使用 path:sites/HelloWorld/To return items only from the HelloWorld site, you have to use path:sites/HelloWorld/.