Advanced Query Language Examples
Field Search
To search for a term in any field, type:
field:term
where
fieldis one of the fields here.termis the value you want to find. To find a phrase, enclose it in double quotation marks.
For example, to find all messages that include the phrase Quarterly Report in the Subject field, use:
mailsubject:”Quarterly Report”
To find all messages sent from the email address bob@genericorp.com
mailfrom:bob@genericorp.com
NOTE
Message envelope searches (Recipients (Envelope) and All Recipients filters, or recipients query language fields) can only search the envelope information that Continuity is able to capture.
For undisclosed recipient information (including Bcc recipients), the only addresses that will be captured are internal addresses included in a retention policy.
When searching for undisclosed recipients, the undisclosed recipient headers will not be visible in the search results but the relevant messages will be included in the result set.
Search For Range of Dates or Sizes
To search for mail using a range of dates or a range of sizes, type
field:range(start, end)
where
fieldisemaildate,receiveddate,totalsize, orsizerangedefines the beginning and ending points of the search.minindicates the minimum size or date, andmaxindicates the maximum size or date.
For example, to find all messages with a total size that is at least 4 KB but no greater than 8 KB
totalsize:range(4096, 8192)
To find all messages sent between December 25, 2018 and August 1, 2019 (local time)
emaildate:range(2018‑12‑25T05:00:00, 2019-08-01T05:00:00)
To find messages sent before December 25, 2019 (local time)
emaildate:range(min, 2019-12-25T05:00:00)
To find messages received on or after August 2, 2019 (local time)
receiveddate:range(2019-08-02T05:00:00, max)
Proximity Search (NEAR )
To search for words in proximity to each other, type:
near(arg, arg, n=numericValue)
where:
argis a word you want to find (use as many as are required, following each by a comma)n=numericValuethe slop for the search.
Slop is defined as the cumulative number of places that tokens may be moved in order to be considered a match the given phrase.
For example:
near(big, red, car, n=0)matches the exact phrase “big red car”- near(big, red, car, n=1) matches:
- the phrase “
big red * car” (“car” moved one token) - all phrases matched by
n=0 - it does NOT match “
big * red car” (both “red” and “car” moved one token, for a total slop of 2) near(big, red, car, n=2)matches- the phrase “
big red * * car” (carmoved two tokens) - the phrase “
big * red car” (both “red” and “car” moved one token) - the phrase “
red big car” (both “big” and “red” moved one token) - and all phrases matched by
n=1andn=0 - but does NOT match “
big * * red car” (both “red” and “car” moved two tokens, for a total slop of 4)
Boolean Operators
To combine search expressions using Boolean operators (AND, OR and NOT), use:
ANDbetween terms, to indicate both terms must be matchedORbetween terms, to indicate either term may be matched, but at least one must matchNOTas a prefix to a term, to find terms that do not match the specified criteria- parenthesis ( and ) to group terms
For example, to find messages that include either the phrase financial report or the phrase balance sheetm, that were sent before December 25, 2018 or after August 1, 2019, but not between those dates:
NOT (emaildate:range (2018-12-25T05:00:00, 2019-08-01T05:00:00)) AND (“financial report” OR “balance sheet”)
Find Partially Indexed Documents
To find only partially indexed documents, such as those that are too large or have damaged metadata, add AND indexlevel:1 to the query.
For example, to find documents sent before December 31, 2019 that have not been fully indexed:
emaildate:range(min, 2019-12-31) AND indexlevel:1