Build search queries for collections
Tip
eDiscovery (preview) is now available in the new Microsoft Purview portal. To learn more about using the new eDiscovery experience, see Learn about eDiscovery (preview).
When configuring the search query when creating a collection in an eDiscovery (Premium) case, you can use keywords to find specific content and conditions to narrow the scope of the search to return items that are most relevant to your legal investigation.
If you prefer to build a search query with the Keyword Query Language (KQL) editor, Query builder, or the Natural Language Query tools, see:
- Use the KQL editor to build search queries
- Use the query builder to build search queries
- Use the Natural Language Query builder to build search queries (preview)
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Keyword searches
Type a keyword query in the Keywords box in the search query. You can specify keywords, email message properties, such as sent and received dates, or document properties, such as file names or the date that a document was last changed. You can use more complex queries that use a Boolean operator, such as AND, OR, NOT, and NEAR. You can also search for sensitive information (such as social security numbers) in documents in SharePoint and OneDrive (not in email messages), or search for documents that have been shared externally. If you leave the Keywords box empty, all content located in the specified content locations is in the search results.
Keyword list
Alternatively, you can select the Show keyword list check box and the type a keyword or keyword phrase in each row. The keywords in each row are connected by a logical operator (which is represented as c:s in the search query syntax) that is similar in functionality to the OR operator in the search query that's created. This means items that contain any keyword in any row are in the search results. You can add up to 180 rows in the keyword list in eDiscovery (Premium) search queries.
Why use the keyword list? You can get statistics that show how many items match each keyword in the keyword list. This can help you quickly identify the keywords that are the most (and least) effective. You can also use a keyword phrase (surrounded by parentheses) in a row in the keywords list. For more information about search statistics, see Collection statistics and reports
Conditions
You can add search conditions to narrow the scope of a search and return a more refined set of results by selecting Add condition.
Each condition adds a clause to the search query that is created and run when you start the search. A condition is logically connected to the keyword query specified in the keyword box by a logical operator (which is represented as c:c in the search query syntax) that is similar in functionality to the AND operator. That means items have to satisfy both the keyword query and one or more conditions to be included in the search results. This is how conditions help to narrow your results.
For a list and description of conditions that you can use in a search query, see the "Search conditions" section in Keyword queries and search conditions.