Search examples and tips
Examples of using Basic, Advanced, and Query Searches
Suppose you want to search for the messages that relate to the resetting of a password. You can enter
password resetinto the Search box and click Search to perform a Search. The space betweenpasswordandreset is treated as an AND operator, so the returned results contain any messages that include both the word password and the word reset.
Suppose that you now decide to search for the phrase password reset , and to exclude from the results any emails that reference the word Box. You can use an Advanced Search for this purpose. Click the expand icon to display the Advanced Search options. Your original Search is now shown in the first criteria row.
Insert double quotation marks around
password resetto specify it as a phrase. Then click + to add a second criteria row. In the new criteria row, select Doesn't Contain and enterBox in the text field.
Click Search to perform the search. The search returns any items that do not contain Box but that contain the exact phrase password reset.
Table: List of query search terms lists some possible query search terms along with examples.
Related information
Table: List of query search terms
| Search term | Data type | Description | Example |
|---|---|---|---|
_All, Entiremessage |
Text | Searches through all default fields. Add search criterion before query text/value. | _All:(test or test2) |
| "hello world" | |||
| Entiremessage:test | |||
Attachments.content |
Text | Search by attachment content. | Attachments.content: "Hello World" |
Attachments.extension |
Text | Search by attachment file type (PDF, DOC, docx, and so on.) | Attachments.extension:docx |
Attachments.filename |
Text | Search by the file name of the attachment. | Attachments.filename:Report.PDF |
Attcount |
Integer | Search by the amount of attachments. | Attcount:6 |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | |||
Attflag |
Boolean | Search by whether there is an attachment. | Attflag:true |
Atttext |
Text | Search the content of the attachments. | Atttext:Computers |
Atttypes |
Text | Search by the attachment type. | Atttypes:PDF |
| Bcc | Text | Search by blind carbon copy recipients. | Bcc:JoeBlogs@example.com |
| Sender:*@example.com | |||
Cc |
Text | Search by carbon copy recipients. | Cc:JoeBlogs@example.com |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | Sender:*@example.com | ||
Classification.tags |
Text | Search by classification tags. | Classification.tags:PII |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | |||
FromOrTo |
Text | Search the text in the From and/or To fields of the email. | FromOrTo:JoeBlogs@example.com |
Hidden |
Boolean | Search whether email is visible to end user or not. | Email Hidden\: |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | Hidden:(1) | ||
| Email Visible: | |||
| NOT Hidden:(1) | |||
Inbound |
Boolean | Search inbound emails. | Inbound:false |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | |||
Internal |
- | Search and retrieves only internal messages exchanged within the same organization. | To include internal emails, use: Internal:(3) . |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | To exclude internal emails, use: NOT Internal:(3) . |
||
Ipheader |
IP Address | Search by the IP header of the email. | Specific IP Address\: |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | Ipheader:(10.201.1.1) | ||
| IP Address using wildcards: | |||
| Ipheader:(10.*.1.1) AND Ipheader:(10.201.?.1) | |||
MailDate |
Date Time | Search by the date the message was sent. | Closed Range\: |
| MailDate: [2018-01-01T00:00:00 TO | |||
| 2019-12-31T23:59:59] | |||
| Open Range: | |||
| MailDate: {2018-01-01T00:00:00 TO 2019-12-31T23:59:59} | |||
Messagesizeinkb |
Floating Point Number | Search by total size of the email. | Messagesizeinkb:\[2.5 TO 5\] |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | |||
Outbound |
Boolean | Search whether a user sent the email. | Outbound:true |
| Note: This query search term does not support the Searches for the Microsoft Teams messages. | |||
Sender |
Text | Search by the sender address(es). | Sender:JoeBlogs@example.com |
| Sender:*@example.com | |||
Subject |
Text | Search by the subject of the email. | Subject:IT |
SubjectBody |
Text | Search the text in the subject of emails and/or in the content of the email. | SubjectBody:Test |
Textbody |
Text | Search the text content of the email. | Textbody: "Hello World!" |
To |
Text | Search by recipient. | To:JoeBlogs@example.com |
| To:*@example.com |
Examples of Query Searches:
-
Sourcetype:"Exchange"
-
SourceType:{"Exchange" OR "Citrix"}
-
Subject:(export OR report)
-
Sender:(@domain.com OR@domain2.com OR *@domain3.com)
-
Atttypes:(pdf OR docx) AND atttext:process
-
Attachments.filename:(Report.PDF or Export.docx)
Searching the From, To, BCC and CC fields
The To, From, and From/To search options are available within an Advanced Search.
-
The To option provides search results from the To, BCC, and CC fields.
-
The From option provides search results from the From field.
-
The From/To option provides search results from the From and To fields.
Searching within specific email domains
One way to search for items within a specific domain is to enter the domain name in the To field of an Advanced Search.
You can use wildcards to search for results from a group of similar domains. For example:
mycloud* returns emails for the domains that begin with mycloud.