Share via

Purview eDiscovery inconsistent results

John Collins 0 Reputation points
2026-03-13T16:29:12.26+00:00

I am getting inconsistent results in my purview eDiscovery searches.

Microsoft Security | Microsoft Purview
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SAI JAGADEESH KUDIPUDI 2,210 Reputation points Microsoft External Staff Moderator
    2026-03-15T18:46:40.7533333+00:00

    Hi John Collins,
    In Microsoft Purview eDiscovery, inconsistent search results can occur in several normal scenarios. Please review the following checks:

    Data changes over time
    Content in Exchange, SharePoint, OneDrive, and Teams is continuously created, modified, or deleted. Running the same search at different times may return different results because the underlying data changed.

    Estimated results vs exported results
    Search statistics show estimated counts, while exports re-run the query. Differences may occur if items are added, deleted, or preserved by retention/hold policies between the estimate and export.

    Search scope or location issues
    Some locations may fail or time out during large searches. Review the Locations.csv process report to verify whether any locations were skipped or returned errors.

    Security filters or compliance boundaries
    If search permission filters or compliance boundaries are configured, different users may see different results for the same query.

    Unindexed or partially indexed items
    By default, unindexed items (such as image-only files or unsupported formats) may not be included. Re-running the search with partially indexed items included can change the result count.

    Large or complex searches
    Large searches or complex queries may produce transient processing errors. Splitting the search by date range or location often stabilizes the results.

    If inconsistencies continue after validating scope, filters, and indexing, you can review diagnostics using Get-ComplianceSearch and Get-ComplianceSearchAction in PowerShell.

    References Link:

    Microsoft Purview eDiscovery overview
    Content search in Microsoft Purview
    Export search results
    Keyword Query Language (KQL)

  2. Q&A Assist
    2026-03-13T16:29:32.8233333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Inconsistent results in Purview eDiscovery are expected in several common scenarios. Use the following checks and mitigations:

    1. Account for normal data changes
    • Content in Exchange, SharePoint, OneDrive, and Teams is constantly added, moved, or deleted.
    • Running the same search at different times against the same locations can legitimately return different statistics and item sets because the underlying data changed.
    1. Rule out transient processing errors
    • Large searches can hit transient timeouts or processing errors.
    • Mitigation:
      • Break the search into smaller date ranges.
      • Narrow locations instead of searching “all locations.”
      • Re-run the search or export after splitting to see if counts stabilize.
    1. Verify all locations are actually searched
    • Some locations in the scope may fail or time out, which reduces counts and causes run‑to‑run differences.
    • Use the Locations.csv process report (from Generate statistics / Generate sample) to check:
      • Status column for failures.
      • ErrorWarning for the reason a location was skipped.
    • Re-run the search specifically for failed locations.
    1. Check for compliance boundaries or search permission filters
    • Different users can get different results with the same query if a compliance boundary or search permission filter is applied.
    • In the process report Settings.csv:
      • Check Security filter applied. If Yes, the search is restricted.
      • Review Location restriction to see which locations are excluded.
    • If expected content is outside the filter scope, have an eDiscovery admin or a user without a filter run the same search for comparison.
    1. Understand estimated vs. exported/downloaded counts
    • The estimate shown in the search statistics and in Export Summary <timestamp>.csv is not an exact item count.
    • Differences between estimated and exported/downloaded results can occur because:
      • The export re-runs the search and picks up new or deleted items between estimate and export.
      • Hold versioning in SharePoint preserves multiple versions of deleted documents.
      • Calendar items (recurring meetings, accept/reject messages) continue to generate items with older dates.
      • The same item may be preserved in both primary and archive mailboxes when holds are applied.
      • Some calendar maintenance items may be periodically removed even under hold.
    1. Include unindexed/partially indexed items when needed
    • By default, statistics and some processes exclude unindexed or partially indexed items (for example, image‑only files, unsupported types, or items with processing errors).
    • In Settings.csv, check the Partially indexed items setting:
      • If unindexed items are excluded, rerun the search with partially indexed items included.
    • When exporting, choose to include unindexed items; exported counts can then exceed the estimate.
    1. Investigate missing or unexpectedly low counts
    • Use process reports from Generate statistics or Generate sample:
      • Settings.csv – confirm partially indexed items and security filters.
      • Locations.csv – confirm:
        • No errors for locations that should contain data.
        • Non‑zero Count where content is expected. If zero, verify the query and that the content exists and is indexed; rerun after some time if content is very recent.
    1. Handle specific search errors if present
    • If inconsistency is accompanied by errors:
      • Recipient not found: verify the recipient exists and is synced using Get-Recipient; wait ~30 minutes for sync and retry.
      • Location is ambiguous: use Get-Recipient to find and remove duplicate/conflicting objects for that mailbox identifier.
      • CS007 or “Internal server error (500) occurred”: usually indicates too many results or complex queries (for example, many wildcards). Split the search by date ranges or reduce locations.
    1. When to escalate
    • If, after:
      • Splitting searches into smaller scopes,
      • Verifying locations and filters via process reports,
      • Including partially indexed items,
      • Accounting for normal data changes, the results are still inexplicably inconsistent, collect diagnostics with Get-ComplianceSearch / Get-ComplianceSearchAction and open a case with Microsoft Support.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.