Field	Description	Type	Example
altrecipients	Alternative recipients listed in the To field or Cc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages and to reviewer searches.	String	altrecipients: bob_anderson@ genericorp.com
attachedfiles	A filename (If filename contains spaces, enclose in quotes) Filenames joined by Boolean expressions (If filename contains spaces, enclose in quotes) To match an ordered list of attachments use a semicolon separated list of all filenames, enclosed in quotes (No need to add extra quotes to filenames with spaces)	String	attachedfiles: picture.jpg attachedfiles: picture.jpg or “second picture.jpg” attachedfiles: “report.xls; report.doc; Quarterly Report.ppt”
content	The content of the message.	String	content:”Q4 results”
dlists	Distribution lists listed in the To field or Cc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages.	String	dlists: all_employees@ genericorp.com
emaildate	The date specified in the Sent Date field of the message header. To search by date only, use the form YYYY-MM-DD. To search by date and time, use the form YYYY-MM-DDThh:mm:ssZ. T is a required constant that identifies the following characters as times. Z is an optional UTC (Coordinated Universal Time) time zone identifier. UTC is default. Use 24-hour clock when specifying time. Use min and/or max to specify earliest/latest dates. Use < or > to specify dates before or after a certain date.Note: By default, emaildate is stored as UTC (GMT) time. To search using your local time zone value, use the TIME value to manually compensate for the number of hours offset from UTC. For example: T05:00:00 is midnight in the US-Central time zone.	Date	To find messages sent between January 1, 2018, midnight (local) and January 3, 2019, midnight (local): emaildate:range (2018‑01‑01T05:00:00, 2019‑01‑03T05:00:00) To find messages received after Aug. 21, 2019 use: emaildate:>2019-08-21To find messages received before Aug. 21, 2019, use: emaildate:<2019-08-21
envrecipients	The recipient information contained in the message envelope. Note that the message envelope is the wrapper that contains the message's delivery directives. For envelope journaled messages: This field contains all recipient information. For non-journaled messages: This field can be used to search for Bcc recipients. NOTE: Only email addresses found in retention policies can be found using Bcc. It will not find any email addresses that are external to your organization or not included in a retention policy. Note that this search field is only applicable to reviewer searches.	String	envrecipients: bob_anderson@ genericorp.com
envsender	The sender information contained in the message envelope. Note that the message envelope refers to the wrapper that contains the message's delivery directives.	String	envsender:bob_ anderson@ genericorp.com
filename	The file name of a document or message. When searching for an attachment, also set isattachment:1 for the attachment file name. To search for a message, set isattachment:0.	String	filename:report.xls and isattachment:1
isattachment	An indicator of whether the document is an email attachment or a message. To indicate that the document is an attachment, set isattachment:1. To indicate that the document is not an attachment, set isattachment:0.	Integer	filename:report.xls and isattachment:1
mailbcc	Recipients listed in the Bcc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages and to reviewer searches.	String	mailbcc: bob_anderson@ genericorp.com
mailbccaltrecipient	Alternative recipients listed in the Bcc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages and to reviewer searches.	String	mailbccaltrecipient: bob_anderson@ genericorp.com
mailbccdlist	Distribution lists listed in the Bcc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages and to reviewer searches.	String	mailbccdlist: all_employees@ genericorp.com
mailcc	The recipients listed in the Cc field of the message header.	String	mailcc:bob@ genericorp.com
mailccaltrecipient	Alternative recipients listed in the Cc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages and to reviewer searches.	String	mailccaltrecipient: bob_anderson@ genericorp.com
mailccdlist	Distribution lists listed in the Cc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages.	String	mailccdlist: all_employees@ genericorp.com
mailfrom	The sender listed in the From field of the message header.	String	mailfrom:bob@ genericorp.com
mailsubject	The subject of the message. If value contains spaces, enclose in double-quotes.	String	mailsubject: ”Quarterly Report”
mailto	The recipients listed in the To field of the message header.	String	mailto: bob@genericorp.com
mailtoaltrecipient	Alternative recipients listed in the To field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages and to reviewer searches.	String	mailtoaltrecipient: bob_anderson@ genericorp.com
mailtodlist	Distribution lists recipients listed in the To field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages.	String	mailtodlist: all_employees@ genericorp.com
receiveddate	The date the message was received by the email server. To search by date only, use the form YYYY-MM-DD. To search by date and time, use the form YYYY-MM-DDThh:mm:ssZ. T is a required constant that identifies the following characters as times. Z is an optional UTC time zone identifier. UTC is default. Use 24-hour clock when specifying time. Use min and/or max to specify earliest/latest dates. Use < or > to specify dates before or after a certain date. Note: By default, receivedate is stored as UTC (GMT) time. To search using your local time zone value, use the TIME value to manually compensate for the number of hours offset from UTC. For example: T05:00:00 is midnight in the US-Central time zone.	Date	To find all messages received on or after February 3, 2018, use receiveddate:range (2018-02-03, max). To find all messages received before February 3, 2018, use receiveddate:range (min, 2018-02-03) To find messages received after Aug. 21, 2019 use: receivedate:>2019-08-21 To find messages received before Aug. 21, 2019, use: receivedate:<2019-08-21
recipients	The recipients listed in one or more of the following: The list of recipient information contained in the message envelope (see envrecipient field for details) The To field of the message header. The Cc field of the message header. Distribution lists listed in the To field or Cc field of envelope journal report. This is only applicable to envelope journaled messages. Alternative recipients listed in the To field or Cc field of envelope journal report. Note that this search field is only applicable to reviewer searches.	String	(recipients:bob@ genericorp.com OR recipients:sue@ genericorp.com)
senders	The list of senders in the message envelope or the From field of the message header. Note that the message envelope refers to the wrapper that contains the message's delivery directives.	String	(senders:bob@ genericorp.com OR senders:sue@ genericorp.com)
size	The size of document (message or attachment) in bytes. Express sizes in bytes. For example, 4 KB as 4096. Use < or > to specify sizes greater or less than a certain size.	Integer	To find all messages (messages only, without attachments) with a total size of at least 4KB but no greater than 8KB, use size:range (4096, 8192)
totalsize	The size of the message, in bytes, including all attachments. Express sizes in bytes. For example, 4 KB as 4096. Or use < or > to specify sizes greater or less than a certain size.	Integer	To find all messages with a total size (messages and attachments) of at least 8KB or greater, use totalsize:range (8192, max)
undisclosedrecipients	Undisclosed recipients listed in one or more of the following: The list of recipients in the Bcc field of the envelope journal report. The list of distribution lists in the Bcc field of the envelope journal report. The list of alternative recipients in the Bcc field of the envelope journal report. Note that this search field is only applicable to envelope journaled messages and to reviewer searches.	String	undisclosedrecipients: bob_anderson@ genericorp.com

Field Search

To search for a term in any field, type:

field:term

where

• field is one of the fields in Query Language Fields.
• term is the value you want to find. To find a phrase, enclose it in double quotation marks.

For example:

To find all messages that include the phrase Quarterly Report in the Subject field

mailsubject:”Quarterly Report”

To find all messages sent from the email address bob@genericorp.com

mailfrom:bob@genericorp.com

Search For Range of Dates or Sizes

To search for mail using a range of dates or a range of sizes, type

field:range(start, end)

where

• field is emaildate, receiveddate, totalsize, or size
• range defines the beginning and ending points of the search. min indicates the minimum size or data, and max indicates the maximum size or date.

For example:

To find all messages with a total size that is at least 4 KB but no greater than 8 KB

totalsize:range(4096, 8192)

To find all messages sent between December 25, 2018 and August 1, 2019 (local time)

emaildate:range(2018‑12‑25T05:00:00, 2019-08-01T05:00:00)

To find messages sent before December 25, 2018 (local time)

emaildate:range(min, 2018-12-25T05:00:00)

To find messages received on or after August 2, 2019 (local time)

receiveddate:range(2019-08-02T05:00:00, max)

Proximity Search

NEAR

To search for words in proximity to each other, type:

near(arg, arg, n=numericValue)

where:

• arg is a word you want to find (use as many as are required, following each by a comma)
• n=numericValue the slop for the search.

Slop is defined as the cumulative number of places that tokens may be moved in order to be considered a match the given phrase.

For example:

near(big, red, car, n=0) matches:

• the exact phrase “big red car”

near(big, red, car, n=1) matches:

• the phrase “big red * car” (“car” moved one token)
• and all phrases matched by n=0
• but does NOT match “big * red car” (both “red” and “car” moved one token, for a total slop of 2)
• near(big, red, car, n=2) matches:
• the phrase “big red * * car” (car moved two tokens)
• the phrase “big * red car” (both “red” and “car” moved one token)
• the phrase “red big car” (both “big” and “red” moved one token)
• and all phrases matched by n=1 and n=0
• but does NOT match “big * * red car” (both “red” and “car” moved two tokens, for a total slop of 4)

Boolean Operators

To combine search expressions using Boolean operators (AND, OR and NOT), use:

• AND between terms, to indicate both terms must be matched
• OR between terms, to indicate either term may be matched, but at least one must match
• NOT as a prefix to a term, to find terms that do not match the specified criteria
• Use matched parenthesis, ‘(‘ ’)’, to group terms

For example:

To find messages that include either the phrase financial report or the phrase balance sheet and were sent before December 25, 2018 or after August 1, 2019, but not between those dates

NOT (emaildate:range (2018-12-25T05:00:00, 2019-08-01T05:00:00)) AND (“financial report” OR “balance sheet”)

Find Partially Indexed Documents

To find only partially indexed documents, such as those that are too large or have damaged metadata, add AND indexlevel:1 to the query.

To find documents sent before December 31, 2018 that have not been fully indexed

emaildate:range(min, 2018-12-31) AND indexlevel:1

• Use Caution When Editing Generated Queries

The generated query may contain unfamiliar query arguments such as linguistics or mode. When editing a generated query, do not change these arguments, or the query may not return the expected search results.

• Maximum Message Size Limitations

The maximum message size that can be fully indexed in the data center archive is 100 MB. Message bodies or individual attachments that are larger than 100 MB are partially indexed using available header fields and metadata.

• Message Envelope Search Limitations

Message envelope searches (envrecipients and recipients query language fields) can only search the envelope information that Continuity is able to capture.

For undisclosed recipient information (including Bcc recipients), the only addresses that will be captured are internal addresses included in a retention policy.

When searching for undisclosed recipients, the undisclosed recipient headers will not be visible in the search results but the relevant messages will be included in the result set.

• Limitations When Formulating Long Queries

In Internet Explorer, the URL length limit of 2083 characters can cause errors when executing a long discovery query. If a query URL exceeds the character limit, Internet Explorer will display an error message and the query will not execute.

This scenario is most likely when using the Query Language or Query Builder options to build a complex query containing many search parameters. Simple searches are not likely to trigger this issue.

One workaround is to use a web browser with longer URL character limits, such as Mozilla Firefox. Another workaround is to narrow the search to fewer parameters.

• Special Character Limitations

If you submit a query containing only a single special character (such as a tilde, parenthesis, or exclamation point), the system returns all messages within your reviewer scope. The workaround for this issue is to use at least one alphanumeric character in your query in addition to the special character.

There is a message I think should be in the archive, but I am unable to find it there. Why can't I find it?

A message may not be archived for one of the following reasons:

• The message never reached your inbound mail server (for example, being quarantined for spam or security reasons).
• The sender or recipient of the message is not covered by any retention policy.
• The date of the message falls outside the range of the retention policy covering the user.

I can find an archived message based on the title or date, but not by searching for words within the message content. Why can’t I find these messages by content?

There are certain categories of content that are archived and the header information indexed, but the content itself cannot be indexed. These categories include:

• XML files
• Media files (audio/video/image type)
• Non-standard binary files
• Password-protected ZIP files
• Message bodies or individual attachments that are larger than 50 MB
• Documents with corrupt or malformed content
• Documents with corrupt or invalid content-type information
• These items can still be recovered.