Video Screencast Help

searching within a mailbox in Discovery Accelerator

Created: 11 May 2013 • Updated: 13 May 2013 | 12 comments
This issue has been solved. See solution.

Hi. Thanks for the time.  I apologize for the noob questions.  I am just trying to get my head around Discovery Accelerator.

If I want to search for items within a single user's mailbox...how would I go about it?

This is what I have done so far:

-created a new case for that new user

-under search terms:

  i-To or from: user@domain.com

  ii-subject or content: investigation

 

however the it is searching the entire email vault.  Is there a way to only search through this user's mailbox and the contents he/she has.?

 

appreciate the feedback.

Operating Systems:

Comments 12 CommentsJump to latest comment

Rob.Wilcox's picture

Discover Accelerator will only search through a users archive/vault.

It won't search through  non-archived emails in the users mailbox.

 

Is it the second of those that you want?

 

If you have journal archiving enabled, then you could search that with the to/from specified as you have it.

goof717's picture

Thanks for the response Rob.  we do have journal archiving enabled. but I dont see where i can choose just the journal? or am i just confusing myself?  I just want to make sure i only search for emails for this particular user.

Rob.Wilcox's picture

Please clarify whether you mean emails or archived items.

If archived items then you search the users archive.

If emails then it would be in the journal archive with the from or to as you indicated.

goof717's picture

Again sorry for the confusion.  I mean emails not archives.  

so I would be using the journal archive.  is there a checkbox that I need to check in order to use the journal archive?

And am i setting it correctly where it will only search the journal for that user for emails sent/received. or does each search term search through the entire journal archive?

i have attached a pic to hopefully clear it up a bit.

thanks again for the time.

2013-05-12 10_23_23-CV - visionapp Remote Desktop 2010 R2.png
AndrewB's picture

in the next section below that search term section you're in you have "archives"

select "search these archives" and either type in the name(s) of your journal archive(s) or use the serach button on the right of the dialogue box to search, find, and select the journal archives.

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

goof717's picture

Andrew - thanks for the response...however I don't see 'search these archives' or something similar to that.  Am I just in the wrong section?  again this in in Discovery Accelerator where a new case has been opened and I want to search the Journal archive.

Do you perhaps have a screenshot of it?  Thanks.

AndrewB's picture

here's a screenshot with highlighted relevant areas in red for you. (btw, this is a new search i just created)

Capture.JPG

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

goof717's picture

I dont have that option.  I am using the EV Discovery Accelerator 10.0 on the DA server.

 

cases.png
AndrewB's picture

make sure your user has the "select archives in search" permission

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

SOLUTION
goof717's picture

Ha. found that option.  I feel silly.  However how do I target a single user's mail.  I have to use the journal archive but wont that search all emails that come through the journal?  not just the single user in case?  Thanks again.

Kenneth Adams's picture

When you have just the journal archive selected to be searched, the actual search criteria will then take into account what you're looking to find.  So, if you want to find all messages sent to or from a specific user, use the "To or from" field to specify the SMTP address or addresses of the specific user and run the search.  That search will then return only e-mails sent or received by that user.  If you have Custodian Manager configured and the user you want is a Custodian, you can specify the Custodian Manager entry for that person to have all SMTP addresses that are defined for him or her used in the search.

So, just specify the user, either by selecting their Custodian Manager entry or by adding their SMTP address or addresses in the 'To or from' field and run the search.  You'll likely get 1000's of hits for a open dated search, but that's to be expected of any user who has been sending and receiving e-mails for a long time.

If you only want e-mails to or from that user during a specific date range, just specify the start and end dates for the date range you're interested in, add the Custodian or SMTP address(es), then save the search to start it running.

Note that a date range search can be sped up a bit if you have the Configuration tab's Settings sub-tab, Search section's option "Optimize searches based on oldest and youngest items" enabled as this will allow index volumes that do not have data in the specific search date range to be excluded from being searched.   You'll get an Info column entry of "Date range exclusion" for each such index volume.

 

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

goof717's picture

awesome thank you for the clarification.  And esp thanks for the knowledge and patience.