About the search criteria options

Article:HOWTO58461  |  Created: 2011-08-01  |  Updated: 2013-07-12  |  Article URL http://www.symantec.com/docs/HOWTO58461
Article Type
How To


Subject


About the search criteria options

Compliance Accelerator groups the search criteria options into multiple sections, which are described below. Click the arrow icons at the right to expand or collapse the sections.

When you construct a search that contains multiple options, pay attention to how each option interacts with the others in the search properties pane. Compliance Accelerator links all the selected options together with Boolean AND operators rather than OR operators. For example, suppose that you construct a search whose criteria include the following:

  • A data range in the Date range section

  • A search term in the Search terms section

  • A file extension in the Attachments section

The search results contain only those items that match all the search criteria. Compliance Accelerator ignores any items that match some of the search criteria options but not others.

Search section

The Search section identifies the search and specifies when it runs.

Context

Identifies the department or research folder in which the search will run. In the case of an application-wide search, this is <All Departments>.

Name

Specifies a name for the search, such as "Daily Message Capture (London)".

Based on Search

Lets you select an existing search as the basis on which to set the criteria for the new search.

Save results in

If displayed, lets you select a location in which to save the results. Select New folder in <Context> in the drop-down list if you want to specify the details of a new folder in which to save the results.

This option is available only when you create a search in a folder that is not linked to any department (you have selected "My Research" in the left pane).

Search Type

Specifies whether the search runs immediately or at a scheduled time. If you select Scheduled, you can specify a period during which the search is to run. You can also choose from one of a number of existing schedules.

See Building Compliance Accelerator search schedules

You can also conduct guaranteed sample searches. Each guaranteed sample search runs at the selected sampling time, which is 1:00 A.M. by default. If the search returns fewer results than your monitoring policy demands, Compliance Accelerator adds randomly-sampled items to the review set to make up the shortfall. In effect, therefore, you can assemble more focused review sets that are weighted towards search-specific results instead of purely randomly-sampled items.

Automatically accept search results

Specifies whether to add the search results to the review set automatically. This option may be useful for any proven searches that you intend to run on a regular basis. If you check Automatically accept search results, you cannot reject the results and change the search criteria. We recommend that you uncheck Automatically accept search results until you have tested that the search returns the expected results.

A search that returns an error from any archive is not automatically accepted, regardless of this setting.

Include items already in review

Specifies whether the search results can include the items that you have previously captured and added to the review set. For an immediate search or scheduled search, we recommend that you check this box to ensure that the results include the items that may already be in review from other searches.

Sampling section

The Sampling section lets you sample the search results and add a random selection of items to the review set.

Compliance Accelerator does not deduplicate randomly-sampled items.

Sampling percentage

Specifies the percentage of search results to include in the review set. You can specify fractions, as in 10.25.

You may not be able to change the sampling percentage if the owner of department has locked this setting in the department properties.

Minimum per author

Specifies the minimum number of items per author to include in the review set. If there are no items for an author in the search results, none can be included in the sample. Note that as the authors can be from outside the selected department, you may return more search results than expected.

Absolute limit

Sets an upper limit on the total number of search results to add to the review set. This option takes precedence over any values that you set in the Percentage box and Minimum items per employee box.

Date range section

The Date range section lets you search for items according to when they were sent or received.

Today / Yesterday / Last 7 days / Last 14 days / Last 28 days

Limits the search to items that were sent or received during the selected period. The date ranges are relative to when the search runs, which is today in the case of an immediate search.

You may find these options useful when creating a scheduled, recurrent search that runs once every day, week, two weeks, or four weeks. For example, if the search runs once a week, select Last 7 days to limit the range to the days since the search last ran.

Specific date range

Lets you search the items that were sent or received during a longer or more specific period than the other date range options permit. To enter a date, click the options at the right of the From and To boxes and then select the required date. Unlike the other date range boxes, a specific date range remains static and not relative to when the search runs.

Since search last ran

For a scheduled search only, lets you search the new items that have arrived since the last time you ran the search. This option is similar to options such as Today and Yesterday. However, it lets you set an explicit start date for the first run of the search.

By default, this option searches from the date of the last run (or the start date for the first search) to the current day minus 1 (that is, up to yesterday).

Authors and Recipients section

The Authors and Recipients section targets the departments for the search and the direction of the items to search. Any departments that you have organized into partitions can only search items to and from departments in the same partition.

Message Route

Specifies the direction in which the items for which you want to search have traveled. You can search for the items that are to or from the selected departments, and for the items that have traveled between the selected departments and other departments.

The available message route options can depend on the date range that you have specified and on how Compliance Accelerator has been configured.

Any Of/All Of

Specifies whether to apply the search to any of or all of the selected departments and employees.

Use inheritance, automatically include new departments

For application-wide searches only, lets you specify whether to apply the search to the subdepartments of the selected departments. By default, any new departments that are subdepartments of others automatically inherit any active, recurring searches that you have applied to those departments. This is also true of any existing departments that you move under departments that have recurring searches.

Department tree

Specifies the departments and employees that you want to include in the search. Click the arrows to the left of the department names to expand them and view the nested departments and exception employees.

When you select a department, you do not automatically include any exception employees in the department. To search exception employees, you must select each one explicitly.

Freeform email addresses / domains

Lets you type one or more email addresses and domains. Type each address or domain on a line of its own to search for the items whose From, To, CC, or BCC field contains any of the addresses or domains. Type all the addresses and domains on a single line to search for items in which they are all present.

Place the minus sign (-) in front of an address or domain to exclude it from the search. To exclude multiple addresses or domains, type them all on a single line.

This field is not available for all possible message routes.

Search terms section

The Search terms section specifies the words or phrases for which Compliance Accelerator should search in the subject lines of items and their bodies. By default, when you search for words in both the subject of an item and its content, Compliance Accelerator finds those items that meet one or both criteria. However, it is possible to set up Compliance Accelerator so that only those items that meet both criteria are found.

Subject

Searches for those items that contain any or all of the specified words or phrases in either their subject lines or the file names of their attachments.

Content

Searches for those items that contain any or all of the specified words or phrases in their bodies and any searchable attachments.

The words or phrases that you specify here are highlighted in the Review pane when you review the items that this search has found.

Observe the following guidelines when you type the words and phrases:

  • Compliance Accelerator searches are case-insensitive.

  • If you type multiple words on the same line, Compliance Accelerator treats them as a phrase.

  • Type each word on a line of its own if you want to use the Any of option or All of option to refine the search criteria.

    In the following example, Compliance Accelerator joins together the three words with an OR operator ("server OR group OR cluster"). Any item that contains one or more of the words matches the search criteria.

    Any Of: server
            group
            cluster

    In the next example, Compliance Accelerator joins together the three words with an AND operator ("server AND group AND cluster"). Only those items that contain all three words match the search criteria.

    All Of: server
            group
            cluster

    In the following example, Compliance Accelerator joins together the phrase "server group" and the word "cluster" with an AND operator ("'server group' AND cluster"). Only those items that contain both the phrase "server group" and the word "cluster" match the search criteria.

    All Of: server group
            cluster
  • You can use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character.

    A wildcard search always finds items that match your search criteria and that were archived in Enterprise Vault 10.0 or later. To ensure that the search results also include older matching items that are in your archives, enter at least three other characters before the wildcard.

  • Place a minus sign (-) at the start of a line to indicate that you want to exclude from the search results any items that contain the following word or phrase. For example, the following search term finds the items that contain either of the words "server" and "group" but do not contain the word "cluster" ("(server AND NOT cluster) OR (group AND NOT cluster)"):

    Any Of: server
            group
            -cluster

    A search term cannot comprise an excluded word or phrase only. When you specify such words or phrases, you must also specify a positive word or phrase that you want to appear in the search results.

  • Click Hotwords to choose from a list of hotwords and phrases, if you have previously created one.

    See Defining hotwords to search for

  • Compliance Accelerator ignores any nonalphanumeric characters in the search term, except for those that have special significance, such as the plus sign, minus sign, and question mark.

    For example, a search for the term US@100 may find instances not only of US@100 but also of US 100 and US$100. Including nonalphanumeric characters in the search term may therefore return more results than you expect.

Attachments section

The Attachments section lets you search for items with a certain number or type of attachments.

Number

Specifies the required number of attachments. The default option, "Does not matter", means that the item can have zero or more attachments. All the other options require you to type one or two values that specify the required number of attachments.

File extensions

Specifies the file name extensions of particular types of attachments for which to search. Separate the extensions with space characters. For example, type the following to search for items with HTML or Microsoft Excel file attachments:

.htm .xls

This search option evaluates attachments by their file names only; it does not check their file type. For example, suppose that a user changes the file name extension of a .zip file to .zap and then sends the renamed file as an email attachment. A Compliance Accelerator search for items that have attachments with a .zip extension does not find the email with the renamed attachment.

The contents of some attachments may not be searchable because Enterprise Vault has not indexed them. In particular, file formats such as Fax and Voice do not have any indexable content.

Some Enterprise Vault registry entries prevent it from indexing the contents of selected file types. For example, this is the case with the ExcludedFileTypesFromConversion entry. For more information, see the Enterprise Vault Registry Values guide.

For more information on how Compliance Accelerator conducts searches in which you have specified file name extensions, see the following article on the Symantec Support website:

http://www.symantec.com/docs/TECH191321

Miscellaneous section

The Miscellaneous section lets you search for items of a certain size and type or that have the specified retention category.

Message size

Specifies the size in kilobytes of each item for which to search, as reported by the message store (Microsoft Exchange, Lotus Domino, and so on). The item size includes the size of any attachments.

Message type

Searches for items of the selected types. This option is only available if:

  • Your Enterprise Vault server is running Enterprise Vault 5.0 or later.

  • You have specified a date range that does not include a date before you installed Enterprise Vault 5.0.

Retention category

Searches for items to which Enterprise Vault has assigned the selected retention categories.

Policies section

The Policies section lets you search for items according to the tags with which any additional policy management software has classified them.

Policy

Lets you search for the items that match certain classification policies. There are several types of policies:

  • Inclusion. Any item that your policy management software has classified for inclusion in the review set may be guilty of the most serious offenses, such as swearing, racism, or insider trading. You would normally want to ensure that the items exhibiting any of these features were included in your review set.

  • Exclusion. Spam items and newsletters are typical examples of the items that your policy management software may classify for exclusion from the review set.

  • Category. Your policy management software may categorize the items that exhibit certain characteristics, such as containing Spanish text. This type of policy provides no information on whether an item should be included in or excluded from the review set.

These policy types are not mutually exclusive. Your policy management software may apply multiple policies of different types to the same item.

Select the required policy type and then check the names of the policies for which you want to search. Alternatively, you can select Custom as the policy type and then type the names of one or more policies. Separate multiple policy names with commas, like this:

CustomPolicy1,CustomPolicy2

If you choose to search for multiple policies, the search results will contain items that match any one of the policies.

Filter policies by current department

Lets you omit from the list those policies that are not in use in the current department.

See Creating and running Compliance Accelerator searches

See Guidelines on conducting effective searches

See Selecting the archives in which to search


Legacy ID



id-SF200450382_v41328187


Article URL http://www.symantec.com/docs/HOWTO58461


Terms of use for this information are found in Legal Notices