Archiving - Searching The Archive

Updated

This article contains information on configuring Mimecast Archiving for Microsoft Teams, including setting up a Connector and IM Sync Task, and managing data retention and synchronization with Microsoft Teams.

The Archive Search allows administrators to perform a complete search across all emails in the archive, including ingested historical email data. In addition, the ability to search the Mimecast archive instantly for email data provides the administrator access to email delivery information—this aids in troubleshooting email delivery queries. Administrators with appropriate permissions can also read the contents of emails in the archive, forward emails to internal users, or export emails from the Mimecast platform.

Archive searches can also be saved with their search parameters for repeated use. See the Archiving - Saved Archive Searches page for full details.

Once emails have been indexed, de-duplicated, compressed, and encrypted, they are moved to the Mimecast storage grid and archived. The time emails are retained on your account retention settings. When an email is archived, this includes both the content and the metadata associated with email delivery and processing. An archive search allows administrators to trace emails and troubleshoot email delivery. Depending on their permissions, they can view the email's metadata or the content and metadata.

Several methods are also available to modify email retention. For more information, view the eDiscovery - Managing Retention Adjustments page.

Performing a Search

An accepted message is not archived if it has a retention period of three days or less but remains in the queue until it expires.

Making the search parameters as specific as possible is essential to producing the most relevant results when using the archive search. For example, add details such as the search text, dates, sender, and recipient where appropriate.

To search the archive:

  1. Select the Archive | Archive Search menu item.
  2. Complete the Search Query as follows:
  • Use parenthesis to group search terms. For example, (HUD OR Fay OR Freddie OR FHA) AND (price OR fee OR cost) would return "HUD cost" "Fay" "FHA fee" etc. We recommend avoiding quotation marks when searching for terms, as this will likely result in poor search results.
  • Searching for a .TXT or .HTM attachment type may return more messages than expected. Due to all messages having a 'body.txt' and 'body.htm' part.
Field / Option Description
Search Text

This field is used to specify the text to search for and allows searches to be performed using boolean search parameters. When entering the text, it can be entered exactly, or if you're not sure, you can use some wild card characters. 

We recommend text isn't copied and pasted directly from certain applications into the search field unless the text is copied from Notepad. Doing this ensures the quotes in the query aren't translated into "smart quotes," which count as a separate character

and may break the search query.
Wild Card Character Text Entered Search Results Returned
An asterisk * to indicate unknown letters. docu* Results containing words beginning with "docu" such as "document."
A question mark '?' to indicate a single unknown letter. practice Results containing words such as "practice" or "practise."

A space between words implies an AND option.

Multiple spaces are ignored in a search term and will be reduced to a single space when the query is processed.

 training exercise Results contain both "training" and "exercise," but the words may not be adjacent.

If the "AND" "OR" or "NOT" statements are included inside of a quoted term, they act like wildcard words. This means the statements find and replace any two or three-character words in the search term. 

"AND", "OR" and "NOT" statements are case sensitive and must be capitalized, or their function will be ignored.

 "over AND out" Results include "over the out" or "over but out," but will not return the term "over out."
Use the OR option between words to extend your search. fred OR jim OR joe Results containing either "fred," "jim" or "joe," or a combination of these words. 

An exclamation mark '!' before a word executes the NOT option to exclude terms from the search.

The exclude option cannot be used on its own. Text to be included must be used at the same time, as shown in the example text entered.

 fred !joe Results containing "fred" but not "joe" (if a message includes both fred and joe, it would not be included in the results). 
Entering text within quotation marks allows you to search for exact phrases. "knowledge base" Results contain the exact phrase "knowledge base."
If you are searching for calendar items. "Content-Type: text/calendar" Results containing Calendar items. 
A tilde character followed by a number (e.g., ~6) to search for one word in proximity to another. "more optimization" ~6 Results in a sentence where the word "more" is within six words of the word "optimization." For example, "More efficient I/Os through Read/Write optimization."
Searching the Mimecast Archive for messages that have attachments. "content-disposition: attachment" and ticking the Search Message Headers box.  All messages that have attachments.

The following terms are automatically excluded from the search: "a", "an", "and", "are", "as", "at", "be", "but", "by", "for", "if", "in", "into", "is", "it", "no", "not", "of", "on", "or", "such", "that", "the", "their", "then", "there", "these", "they", "this", "to", "was", "will", "with". These common words are not indexed by Mimecast when an email is archived and therefore are ignored when the search query is performed. This applies when using phrases (as described in the above example). For example, when searching for "training the customers," Mimecast will return results including "training the customers," "training with customers," "training at customers," etc. 

Archive searches can only start with valid search text. Wildcards or other search parameters, such as '!', used as the first character in the search string, will cause the search to fail. 
Email Areas to Search Within

Searches can be applied across one or more message parts. For example, "Subject Line," "Message Header," "Message Body," Attachment," "Attachment Types," or "Attachment Name."  

  • If searching across multiple areas, results are returned where the search string is present in ANY of the specified locations. For example, searching for "Apples" and "Oranges" and searching the "Subject Line" and "Message Body," the results include messages with both "Apples" and "Oranges" in either the subject or the body. This is also true when enacting the NOT option. For example when searching for "Apples" and "!Oranges" and searching both the "Subject Line" and "Message Body," the results contain messages where "Apples" but not "Oranges" appear in either the subject or the body.
  • If searching for an email sent as an attachment using a particular term present on the attached email, the Search Message Body checkbox must be selected.

 

Include Litigation Hold Messages Messages on litigation hold remain available to administrators beyond their expected expiry date. If this option is checked (unchecked by default), the search will include items on litigation hold that have exceeded their expiry date. The search will not include these messages if this option is unchecked.

Messages on litigation hold that have not yet reached their expected expiry date will be included in both cases.

Search Within Smart Tag. If a Smart Tag is selected using the Lookup button, the search results will be filtered to only return the results from that Smart Tag. Use the X to clear a selected Smart Tag.

Additional Search Parameters can be specified in the Search Filters and Options section. To ensure that only relevant search data is returned, it is essential to specify as many filters as possible:

Field Name Description
From Address (or Domain) and To Address (or Domain) Use the From and To fields by entering the email address or domain name(s) to specify the sender or recipient addresses. Some additional points to be aware of when entering these details include:
  • You cannot use a wildcard at the beginning of the entry.
  • If you are looking for multiple addresses, list them by separating them with a space.
  • If unsure of the full email address, enter the name part and add a wildcard (*) for the domain portion.
  • You can use the term NOT to specify an email address or domain name to exclude from the search results (i.e.: NOT domain.com NOT admin@domain.com). 

 

If you have an address alterations policy, the address must be the new address. See the Policies - Address Alteration Configuration page for further details. 
From Date and To Date:  The search is performed over the last month's worth of email data by default. However, the date criteria can be adjusted as required using the calendar controls and are based on the sent date of the email. The time field also allows more granularity when looking for a particular email. 
Show Total Count This option controls when you can view the search results. For example, if 'Show Total Count' is selected, it will affect both of the following views:
  • Archive Search - This only displays search results when all results are returned. If unselected, the results are shown as soon as they become available. This allows for faster viewing and reduced load times, the default setting.
  • Archive Export - This displays the total count when exporting data from an archive search. A maximum of 50,000 messages can be exported at a time. 
Route Filter The Route Filter is used to target the specific route of the email traffic, which is either all routes, inbound (from an external sender to an internal recipient), outbound (from an internal sender to an external recipient), or internal (sent from one internal user to another internal user). The default is set to all routes. 
Results sort order

This can be set to display the search results in one of three ways - Descending Date Order (most recent emails appear first), Ascending Date Order (oldest emails appear first), and Relevance Order (the emails that match the search criteria more closely appear first). The default is Descending Date Order.
Relevance order can help narrow down a search by first showing the most specific results. Therefore if you searched using the text "meet*" and selected Relevance Order, emails with the word "meet" would be shown first, and then other matches (for example, "meets" or "meeting") would follow. 

Once the search results are displayed, the View menu can be used to re-sort the results.

 

  1. Click the Search button to initiate the search. Email results are displayed in a list format per the search criteria specified above.

Very large attachments (and email message body parts) take longer to process and to protect Mimecast archive performance, search keywords are taken from the first 2 million characters of each attachment, with a limit of 20,000 search keywords across all attachments, and a further 20,000 search keywords for the message body.

The search will not return the desired email if keywords do not appear in the first 20,000 terms. This commonly occurs when searching spreadsheets with hundreds of thousands of distinct rows. If searching for such attachments, it is recommended that you use criteria other than keywords, i.e., attachment search, to/from, and date criteria.

Working With the Search Results

If your archive search returns more than 100 results, only the first 100 are displayed by default. You can change this to a maximum of 1000 results by selecting a value from the numerical drop-down. You can also scroll through each set of results by using one of the following page navigation arrows:
 

  • : Navigate to the first page of the results.
  • : Navigate to the previous page of results.
  • : Navigate to the next page of results.
  • : Navigate to the last page of the results.

Additionally, you can:

  • Forward or export selected messages from the archive, provided you have the required permissions.
  • Sort the results by date, relevance, address, or subject by selecting the required option from the View menu.
  • Click on a message to view its Policies - Address Alteration Configuration (see below).

Displaying a Message's Content and Metadata

image.png

You can display the details of a message in a popout panel by clicking on it in the search results. The details are shown in the following tabs:

  • Message: Displays details of the message's body.
  • Header: Displays details of the message's header.
  • Transmission Data: Displays details of the message's envelope and transmission components.
  • Policies: Displays the policies that were applied to the message.

Administrators can access additional metadata to determine email delivery. See the related article on Email Receipt and Delivery Views for more information.

End users can search a personal archive using a Mimecast end-user application. However, this only covers messages where they are the sender or recipient.

See Also...

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.