Enabling Search Query Logging:
To enable Search Query Logging, follow these steps within the Enterprise Vault Admin Console (VAC):
- Expand Enterprise Vault Servers under the site container in the left pane.
- Right-click the Enterprise Vault server that hosts the Indexing service and select Properties.
- On the Advanced tab, select Search Log Queries and click Modify.
- In the drop-down menu, select On, and click OK.
- Select Search Logs Folder and click Modify.
- Enter a path to a local folder on the Index server, and click OK.
- On the Properties page click OK, and then on the warning dialog about changes to the advanced settings, click OK.
- Restart the Enterprise Vault server’s Indexing Service.
- Perform searches using any Search application.
To disable Search Query Logging, follow the same steps but select OFF in step 4.
Locating the Search Query Logs:
- A file beginning with squery contains the search request in StructuredQuery format, suitable for 32-bit index volumes (EV 9 and earlier). This will be an XML file.
- A file beginning with velreq contains the search request in Velocity format, suitable for 64-bit index volumes (EV 10 through EV 14.1). This will be an XML file.
- A file beginning with elasticsearchreq contains the search request in Elasticsearch format, suitable for Elasticsearch index volumes (EV 14.2 and later). This will be a JSON file.
Note that for search requests that target multiple index volumes, the StructuredQuery and Velocity query logs will create a separate XML file for each index volume, while the Elasticsearch query logs will create just one JSON file.
Note also that a single search may target an archive with several index volumes of different types, and therefore it is not alarming for many different index query logs to be generated from a single search.
How to interpret a Search Query Log in the squery form:
Once the Search Query Logging is enabled, squery_*.xml files are generated in the configured location when a search is performed. This file contains the basic structure of a search query in a format internal to Enterprise Vault. It has the search terms, the search fields and conditions specified in the search criteria.
Sample Search Criteria 1:
FIELD |
OPERATOR |
SEARCH TERMS |
Subject |
contains all of |
ratify eclipse suspend |
From |
contains any of |
bill |
Content |
contains phrase |
snowy adventure |
Search Query Log generated in the squery_*.xml:
<?xml version="1.0" encoding="utf-8"?>
<StructuredQuery xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Symantec.EnterpriseVault.Indexing.Search">
<SearchAttachments>true</SearchAttachments>
<TopLevelDocumentsOnlyInResults>true</TopLevelDocumentsOnlyInResults>
<WillMatchZeroDocuments>false</WillMatchZeroDocuments>
<Operator xmlns:d2p1="http://www.symantec.com/EnterpriseVault/Indexing/Search/Data">
<d2p1:Logic>and</d2p1:Logic>
<d2p1:Operands>
<d2p1:Operand i:type="d2p1:Operator">
<d2p1:Logic>and</d2p1:Logic>
<d2p1:Operands>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>subj</d2p1:Field>
<d2p1:Value>"ratify"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>subj</d2p1:Field>
<d2p1:Value>"eclipse"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>subj</d2p1:Field>
<d2p1:Value>"suspend"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
</d2p1:Operands>
<d2p1:Distance i:nil="true"/>
</d2p1:Operand>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>auth</d2p1:Field>
<d2p1:Value>"bill"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>cont</d2p1:Field>
<d2p1:Value>"snowy adventure"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
</d2p1:Operands>
<d2p1:Distance i:nil="true"/>
</Operator>
</StructuredQuery>
Sample Search Criteria 2:
FIELD |
OPERATOR |
SEARCH TERMS |
Date |
is between |
From 01/05/2005 To 01/01/2012 |
Subject or Content |
contains any of |
good old days |
Search Query Log generated in the squery_*.xml:
<?xml version="1.0" encoding="utf-8"?>
<StructuredQuery xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Symantec.EnterpriseVault.Indexing.Search">
<SearchAttachments>true</SearchAttachments>
<TopLevelDocumentsOnlyInResults>true</TopLevelDocumentsOnlyInResults>
<WillMatchZeroDocuments>false</WillMatchZeroDocuments>
<Operator xmlns:d2p1="http://www.symantec.com/EnterpriseVault/Indexing/Search/Data">
<d2p1:Logic>and</d2p1:Logic>
<d2p1:Operands>
<d2p1:Operand i:type="d2p1:DateRangeTerm">
<d2p1:Field>date</d2p1:Field>
<d2p1:Start>2005-01-05T05:00:00Z</d2p1:Start>
<d2p1:End>2012-01-02T04:59:59Z</d2p1:End>
</d2p1:Operand>
<d2p1:Operand i:type="d2p1:Operator">
<d2p1:Logic>or</d2p1:Logic>
<d2p1:Operands>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>text</d2p1:Field>
<d2p1:Value>"good"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>text</d2p1:Field>
<d2p1:Value>"old"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
<d2p1:Operand i:type="d2p1:StringTerm">
<d2p1:Field>text</d2p1:Field>
<d2p1:Value>"days"</d2p1:Value>
<d2p1:Mode>any</d2p1:Mode>
</d2p1:Operand>
</d2p1:Operands>
<d2p1:Distance i:nil="true"/>
</d2p1:Operand>
</d2p1:Operands>
<d2p1:Distance i:nil="true"/>
</Operator>
</StructuredQuery>
The following examples, contained within the log file, can be used to understand the search query better:
- <Operand i:type="StringTerm">. The operand i:type indicates the type of search terms like StringTerm for String, NumericRangeTerm for numeric or DateRangeTerm for Dates.
- The <Field> node indicates the field specified in search criteria.
- The <Value> node indicates the search terms specified.
- The <Mode> node indicates the logical operator applied on the search terms as specified.
- For search by Ranges, the <Start> node indicates the ‘From’ value of the range.
- For search by Ranges, the <End> node indicates the ‘To’ value of the range.
How to interpret a Search Query Log in the velreq form:
Once the Search query logging is enabled the velreq_*.xml files are generated in the configured location when a search is performed. This file contains the complete structure of a search query that is passed to the 64-bit indexing engine. The following are some of the major information that can be found in the velreq file,
- search terms specified
- search fields used
- search conditions (like any of or phrase, etc)
- sorting order
- search timeout duration
- collection ID (the id of an index volume)
Sample Search Criteria 1:
FIELD |
OPERATOR |
SEARCH TERMS |
Subject |
contains all of |
ratify eclipse suspend |
From |
contains any of |
bill |
Content |
contains phrase |
snowy adventure |
Search Query Log generated in the velreq_*.xml:
<?xml version="1.0" encoding="utf-8"?>
<CollectionBrokerSearch xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<collection xmlns="urn:/velocity/types">17845AF6064C96B4C80B01C41EC244919_136</collection>
<query-object xmlns="urn:/velocity/types">
<operator logic="and" xmlns="urn:/velocity/objects">
<term field="v.field-mapping" str="<field-map field="x_subj">
 <field-to name="subj" />
 <field-to name="a_subj" />
</field-map>
<field-map field="x_auth">
 <field-to name="wrdn" />
 <field-to name="wrsm" />
 <field-to name="wrot" />
 <field-to name="frdn" />
 <field-to name="frsm" />
 <field-to name="frot" />
 <field-to name="ppdn" />
 <field-to name="ppsm" />
 <field-to name="ppot" />
 <field-to name="jrfm" />
 <field-to name="jrpp" />
 <field-to name="jaen" />
 <field-to name="a_wrdn" />
 <field-to name="a_wrsm" />
 <field-to name="a_wrot" />
 <field-to name="a_frdn" />
 <field-to name="a_frsm" />
 <field-to name="a_frot" />
 <field-to name="a_ppdn" />
 <field-to name="a_ppsm" />
 <field-to name="a_ppot" />
 <field-to name="a_jrfm" />
 <field-to name="a_jrpp" />
 <field-to name="a_jaen" />
</field-map>
<field-map field="x_cont">
 <field-to name="cont" />
 <field-to name="a_cont" />
</field-map>
"/>
<operator logic="and">
<operator logic="and">
<term field="x_subj" str="ratify"/>
<term field="x_subj" str="eclipse"/>
<term field="x_subj" str="suspend"/>
</operator>
<term field="x_auth" str="bill"/>
<term field="x_cont" str="snowy adventure"/>
</operator>
</operator>
</query-object>
<sort-xpaths xmlns="urn:/velocity/types">
<sort xpath="$date" order="descending" xmlns="urn:/velocity/objects"/>
<sort xpath="$snum" xmlns="urn:/velocity/objects"/>
</sort-xpaths>
<sort-num-passages xmlns="urn:/velocity/types">0</sort-num-passages>
<num xmlns="urn:/velocity/types">100</num>
<num-max xmlns="urn:/velocity/types">100</num-max>
<output-contents-mode xmlns="urn:/velocity/types">list</output-contents-mode>
<output-contents xmlns="urn:/velocity/types">msgc natc auth subj date size tags ppdn dtyp pvid snum vlid _Vault.MsgType ItemExpiry keys _evtag.category _evtag.inclusion _evtag.exclusion</output-contents>
<output-summary xmlns="urn:/velocity/types">false</output-summary>
<output-score xmlns="urn:/velocity/types">true</output-score>
<output-display-mode xmlns="urn:/velocity/types">limited</output-display-mode>
<binning-mode xmlns="urn:/velocity/types">off</binning-mode>
<fetch-timeout xmlns="urn:/velocity/types">600000</fetch-timeout>
</CollectionBrokerSearch>
Sample Search Criteria 2:
FIELD |
OPERATOR |
SEARCH TERMS |
Date |
is between |
From 01/05/2005 To 01/01/2012 |
Subject or Content |
contains any of |
good old days |
Search Query Log generated in the velreq_*.xml:
<?xml version="1.0" encoding="utf-8"?>
<CollectionBrokerSearch xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<collection xmlns="urn:/velocity/types">17845AF6064C96B4C80B01C41EC244919_76</collection>
<query-object xmlns="urn:/velocity/types">
<operator logic="and" xmlns="urn:/velocity/objects">
<term field="v.field-mapping" str="<field-map field="x_date">
 <field-to name="date" />
 <field-to name="a_date" />
</field-map>
<field-map field="x_text">
 <field-to name="cont" />
 <field-to name="subj" />
 <field-to name="a_cont" />
 <field-to name="a_subj" />
</field-map>
"/>
<operator logic="and">
<operator logic="range">
<term field="x_date" str="2005-01-05T05:00:00Z"/>
<term field="x_date" str="2012-01-02T04:59:59Z"/>
</operator>
<operator logic="or">
<term field="x_text" str="good"/>
<term field="x_text" str="old"/>
<term field="x_text" str="days"/>
</operator>
</operator>
</operator>
</query-object>
<sort-xpaths xmlns="urn:/velocity/types">
<sort xpath="$date" order="descending" xmlns="urn:/velocity/objects"/>
<sort xpath="$snum" xmlns="urn:/velocity/objects"/>
</sort-xpaths>
<sort-num-passages xmlns="urn:/velocity/types">0</sort-num-passages>
<num xmlns="urn:/velocity/types">100</num>
<num-max xmlns="urn:/velocity/types">100</num-max>
<output-contents-mode xmlns="urn:/velocity/types">list</output-contents-mode>
<output-contents xmlns="urn:/velocity/types">msgc natc auth subj date size tags ppdn dtyp pvid snum vlid _Vault.MsgType ItemExpiry keys _evtag.category _evtag.inclusion _evtag.exclusion</output-contents>
<output-summary xmlns="urn:/velocity/types">false</output-summary>
<output-score xmlns="urn:/velocity/types">true</output-score>
<output-display-mode xmlns="urn:/velocity/types">limited</output-display-mode>
<binning-mode xmlns="urn:/velocity/types">off</binning-mode>
<fetch-timeout xmlns="urn:/velocity/types">600000</fetch-timeout>
</CollectionBrokerSearch>
The main lines to focus in the log and understand the search query are:
- The value in the <collection> node indicates the index volume Id or the collection id on which the search is performed on.
- The <operator logic="range"> node indicates the type of condition like AND, OR, PHRASE, RANGE, etc.
- Field in <term> node indicates the field specified in search criteria.
- String in <term> node indicates the search terms specified.
- The prefix x_<field> is meant to search on both top-level and attachment-level of the item. If the search field is not prefixed by x_ then it is meant to search only on the top-level of the item.
How to interpret a Search Query Log in the elasticsearchreqform:
Once the Search query logging is enabled the elasticsearchreq_*.xml files are generated in the configured location when a search is performed. This file contains the complete structure of a search query that is passed to the Elasticsearch indexing engine. The following are some of the major information that can be found in the velreq file,
- search terms specified
- search fields used
- search conditions (like any of or phrase, etc)
- sorting order
- search timeout duration
FIELD |
OPERATOR |
SEARCH TERMS |
Subject |
contains all of |
ratify eclipse suspend |
From |
contains any of |
bill |
Content |
contains phrase |
snowy adventure |
{
"_source": false,
"from": 0,
"query": {
"bool": {
"filter": [
{
"term": {
"indexVolumeName": {
"value": "17845af6064c96b4c80b01c41ec244919_153"
}
}
}
],
"must": [
{
"bool": {
"must": [
{
"bool": {
"must": [
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.text.subj": {
"query": "ratify"
}
}
},
{
"match_phrase": {
"fields.text.a_subj": {
"query": "ratify"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_subj": {
"query": "ratify"
}
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.text.subj": {
"query": "eclipse"
}
}
},
{
"match_phrase": {
"fields.text.a_subj": {
"query": "eclipse"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_subj": {
"query": "eclipse"
}
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.text.subj": {
"query": "suspend"
}
}
},
{
"match_phrase": {
"fields.text.a_subj": {
"query": "suspend"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_subj": {
"query": "suspend"
}
}
}
]
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.textsearchable.wrdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.wrsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.wrot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.frdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.frsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.frot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.ppdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.ppsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.ppot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.jrfm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.jrpp": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.jaen": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_wrdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_wrdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_wrsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_wrsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_wrot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_wrot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_frdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_frdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_frsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_frsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_frot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_frot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_ppdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_ppdn": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_ppsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_ppsm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_ppot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_ppot": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_jrfm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_jrfm": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_jrpp": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_jrpp": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.text.a_jaen": {
"query": "bill"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_jaen": {
"query": "bill"
}
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.textsearchable.originalcont": {
"query": "snowy adventure"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_originalcont": {
"query": "snowy adventure"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
},
"size": 100,
"sort": [
{
"fields.datetime.date": {
"order": "desc",
"unmapped_type": "date"
}
},
{
"fields.integer.snum": {
"order": "asc",
"unmapped_type": "integer"
}
}
],
"stored_fields": [
"fields.text.msgc",
"fields.integer.natc",
"fields.text.auth",
"fields.text.subj",
"fields.datetime.date",
"fields.integer.size",
"fields.textretrievable.tags",
"fields.text.ppdn",
"fields.text.dtyp",
"fields.text.pvid",
"fields.integer.snum",
"fields.textretrievable.vlid",
"fields.text._Vault.MsgType",
"fields.intretrievable.itemexpiry",
"fields.text.keys",
"tags.text._evtag.category",
"tags.text._evtag.inclusion",
"tags.text._evtag.exclusion"
],
"timeout": "600s",
"track_total_hits": true
}
Sample Search Criteria 2:
FIELD |
OPERATOR |
SEARCH TERMS |
Date |
is between |
From 01/05/2005 To 01/01/2012 |
Subject or Content |
contains any of |
good old days |
{
"_source": false,
"from": 0,
"query": {
"bool": {
"filter": [
{
"term": {
"indexVolumeName": {
"value": "17845af6064c96b4c80b01c41ec244919_153"
}
}
}
],
"must": [
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"range": {
"fields.datetime.date": {
"gte": "2005-01-05T05:00:00Z",
"lte": "2012-01-02T04:59:59Z"
}
}
},
{
"range": {
"fields.datetime.a_date": {
"gte": "2005-01-05T05:00:00Z",
"lte": "2012-01-02T04:59:59Z"
}
}
},
{
"range": {
"fields.datetimesearchable.a_date": {
"gte": "2005-01-05T05:00:00Z",
"lte": "2012-01-02T04:59:59Z"
}
}
}
]
}
},
{
"bool": {
"should": [
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.textsearchable.originalcont": {
"query": "good"
}
}
},
{
"match_phrase": {
"fields.text.subj": {
"query": "good"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_originalcont": {
"query": "good"
}
}
},
{
"match_phrase": {
"fields.text.a_subj": {
"query": "good"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_subj": {
"query": "good"
}
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.textsearchable.originalcont": {
"query": "old"
}
}
},
{
"match_phrase": {
"fields.text.subj": {
"query": "old"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_originalcont": {
"query": "old"
}
}
},
{
"match_phrase": {
"fields.text.a_subj": {
"query": "old"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_subj": {
"query": "old"
}
}
}
]
}
}
]
}
},
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"match_phrase": {
"fields.textsearchable.originalcont": {
"query": "days"
}
}
},
{
"match_phrase": {
"fields.text.subj": {
"query": "days"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_originalcont": {
"query": "days"
}
}
},
{
"match_phrase": {
"fields.text.a_subj": {
"query": "days"
}
}
},
{
"match_phrase": {
"fields.textsearchable.a_subj": {
"query": "days"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
},
"size": 100,
"sort": [
{
"fields.datetime.date": {
"order": "desc",
"unmapped_type": "date"
}
},
{
"fields.integer.snum": {
"order": "asc",
"unmapped_type": "integer"
}
}
],
"stored_fields": [
"fields.text.msgc",
"fields.integer.natc",
"fields.text.auth",
"fields.text.subj",
"fields.datetime.date",
"fields.integer.size",
"fields.textretrievable.tags",
"fields.text.ppdn",
"fields.text.dtyp",
"fields.text.pvid",
"fields.integer.snum",
"fields.textretrievable.vlid",
"fields.text._Vault.MsgType",
"fields.intretrievable.itemexpiry",
"fields.text.keys",
"tags.text._evtag.category",
"tags.text._evtag.inclusion",
"tags.text._evtag.exclusion"
],
"timeout": "600s",
"track_total_hits": true
}
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.