Veritas Enterprise Vault™ Discovery Accelerator Administrator's Guide
- Introducing Discovery Accelerator
- Introducing the Discovery Accelerator client
- Setting up and assigning roles
- About the Discovery Accelerator permissions
- Working with cases
- Implementing analytics in Discovery Accelerator cases
- Setting up review marks and tags
- Using rules to mark and tag items automatically
- Creating analytics rules
- Manually editing queries in analytics rule definition language (RDL)
- Using Custodian Manager
- Searching for items
- Defining email targets with Address Manager
- Building Discovery Accelerator search schedules
- Manually reviewing items
- Searching within the review set
- Working with research folders
- Exporting and producing items
- Creating and viewing reports
- Available Discovery Accelerator reports
- About viewing Discovery Accelerator datasets using the OData web service
- Appendix A. Customizing Discovery Accelerator
- Setting Discovery Accelerator system configuration options
- Setting Discovery Accelerator system configuration options
- Appendix B. Importing configuration data from an XML file
- Appendix C. Enterprise Vault properties for use in Discovery Accelerator searches
- Appendix D. Troubleshooting
- Issues with Discovery Accelerator reports
About the search criteria options
When you construct a search that contains multiple options, pay attention to how each option interacts with the others in the search properties pane. Discovery Accelerator links all the selected options together with Boolean AND operators rather than OR operators. For example, suppose that you construct a search whose criteria include the following:
A data range in the Date range section
A search term in the Search terms section
A file extension in the Attachments section
The search results contain only those items that match all the search criteria. Discovery Accelerator ignores any items that match some of the search criteria options but not others.
The search properties pane has the following sections:
The Search section identifies the search and specifies when it runs.
Identifies the case or research folder in which the search runs. When the folder is not linked to any case, "My Research" appears.
Specifies a name for the search, such as "Daily Message Capture (London)".
Based on Search
Lets you select an existing search as the basis on which to set the criteria for the new search.
Save results in
If displayed, lets you select a location in which to save the results. Select New folder in <Context> in the drop-down list if you want to specify the details of a new folder in which to save the results.
This option is available only when you create a search in a folder that is not linked to any case (you have selected "My Research" in the left pane).
Specifies whether the search runs immediately or at a scheduled time. If you select Scheduled, you can specify a period during which the search is to run. You can also choose from one of a number of existing schedules.
Automatically accept search results
Specifies whether to add the search results to the review set automatically. This option may be useful for any proven searches that you intend to run on a regular basis. If you check, you cannot reject the results and change the search criteria. We recommend that you uncheck until you have tested that the search returns the expected results.
A search that returns an error from any archive is not automatically accepted, regardless of this setting.
Include items already in review
Specifies whether the search results can include the items that you have previously captured and added to the review set. For an immediate search or scheduled search, we recommend that you check this box to ensure that the results include the items that may already be in review from other searches.
The Date range section lets you search for items according to when they were sent or received.
Today / Yesterday / Last 7 days / Last 14 days / Last 28 days
Limits the search to items that were sent or received during the selected period. The date ranges are relative to when the search runs, which is today in the case of an immediate search.
You may find these options useful when creating a scheduled, recurrent search that runs once every day, week, two weeks, or four weeks. For example, if the search runs once a week, selectto limit the range to the days since the search last ran.
Specific date range
Lets you search the items that were sent or received during a longer or more specific period than the other date range options permit. To enter a date, click the options at the right of the From and To boxes and then select the required date. Unlike the other date range boxes, a specific date range remains static and not relative to when the search runs.
Checkto use both the current information and historical information for custodians and custodian groups in the search. If you uncheck this option, Discovery Accelerator uses only the current set of custodians, groups, and email addresses. Any users or groups whose names or email addresses have changed, or who have been deactivated for some reason, are excluded from the search.
Since search last ran
For a scheduled search only, lets you search the new items that have arrived since the last time you ran the search. This option is similar to options such as Today and Yesterday. However, it lets you set an explicit start date for the first run of the search.
By default, this option searches from the date of the last run (or the start date for the first search) to the current day minus 1 (that is, up to yesterday).
The Search terms section specifies the words or phrases for which Discovery Accelerator should search in items. Clickto add each word or phrase for which you want to search. Note the following:
Discovery Accelerator searches are case-insensitive.
To search for a phrase, enclose the words in quotation marks.
For example, you can search for all items whose subject lines contain the phrase "organizational changes" by defining a search term like this one:
SUBJ: "organizational changes"
Discovery Accelerator considers the file names of message attachments to be their subjects. So, the preceding search term finds both items that contain the phrase "organizational changes" in their subject lines and attachments that have this phrase in their file names.
If you type multiple words on the same line, Discovery Accelerator finds all items that contain any of the words or phrases on the line.
Note that you must separate all the words in the search term with spaces. The following search term does not return the expected results because there is no space between words the "changes" and "license" - and consequently Discovery Accelerator searches for items that contain one or more of the following words: "organizational", "changeslicense", and "agreements".
SUBJ: "organizational changes""license agreements"
Similarly, the search terms license;agreements and license; agreements differ because, in the second case, a space follows the semicolon. The presence of the space causes Discovery Accelerator to find the items that contain either word, whereas the absence of the space causes Discovery Accelerator to treat the search term as a phrase.
Press the Return key in a search box to add another line to it. If you type multiple lines in a search box, chooseor in the left box to determine whether OR or AND conditions connect the lines.
To add the details of email targets or custodians to thebox or box, click the button at the right of the box.
If you specify as a target or custodian a Domino user whose details you synchronize with a Domino directory, you must ensure that this user has an SMTP address defined in the Domino directory. Otherwise, the search fails to find the matching items. Alternatively, you can search for such users by their display names.
Use the fields in the Custodian Manager options area to specify how to search for custodians or custodian groups. You can choose to search email addresses, display names, or both email addresses and display names. If you select , a custodian or custodian group must have either a matching email address or a matching display name to meet the search criteria; it does not need to have both.
Selectif you want Discovery Accelerator to search not only the display name and email address of a custodian group but also the email addresses of all the members of the group.
The conditions that you enter in the Custodian Manager options area use the custodian information that is available at the time that you build the search. This information is not updated unless you edit the search again. For example, when you create a search and select the option , the list members at that time are saved with the search. If the membership of the list changes later, these changes are not applied to the search until you edit and save it again.
Place the plus sign (+) in front of a word or phrase to connect it to every other word or phrase on the line with a Boolean AND condition. This sign instructs Discovery Accelerator to treat the specified word or phrase as required criteria. For example, the following search string means "(server AND test) OR (group AND test) OR (cluster AND test)":
[Any Of] server group +test cluster
In the following example, the search string means "(server AND test AND group) OR (cluster AND test AND group)"
[Any Of] server +group +test cluster
Place the minus sign (-) in front of a word or phrase to connect it to every other word or phrase on the line with a Boolean AND NOT condition. This sign instructs Discovery Accelerator to exclude from the result set those results that match the other search criteria and contain the excluded term. For example, the following search string means "(server AND NOT test) OR (group AND NOT test) OR (cluster AND NOT test)":
[Any Of] server group -test cluster
In the following example, the search string means "(server AND cluster AND (group AND NOT test))":
[All Of] server cluster group -test
A search term cannot comprise an excluded word or phrase only. When you specify such words or phrases, you must also specify a positive word or phrase that you want to appear in the search results.
You can use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character.
A wildcard search always finds items that match your search criteria and that were archived in Enterprise Vault 10.0 or later. To ensure that the search results also include items that Enterprise Vault 9.0 or earlier has archived, enter at least three other characters before the wildcard. For example, the following search string returns hits for the words "make", "maker", "making", "wonder", "wondering", and so on:
[Any Of] mak* Wonder*
You can include wildcard characters in the email addresses that you specify in abox or box. The following example finds items from users with an email address that includes "@acme.uk" or "@acme.hk":
[Any Of] @acme.?k
However, you cannot use either wildcard character after a special character, such as the ampersand (@). For example, the search string "@?cme.uk" does not produce the expected results.
Discovery Accelerator ignores any nonalphanumeric characters in the search term, except for those that have special significance, such as the plus sign, minus sign, and question mark.
For example, a search for the term US@100 may find instances not only of US@100 but also of US 100 and US$100. Including nonalphanumeric characters in the search term may therefore return more results than you expect.
This feature is available only if you have the Select Archives in Search permission in the case.
The feature is not available when you define the criteria for a scheduled search; you can use it when you set up immediate searches only.
The Archives section lets you restrict the scope of a case-level search or folder-level search to certain archives only. By default, Discovery Accelerator searches all the archives in the vault stores that you have selected for the case. However, this may be undesirable and time-consuming if Discovery Accelerator must search many thousands of archives unnecessarily.
To select the archives in which to search
- Click Search these archives.
- Click the Archive Picker option at the right.
- In the Select Archives dialog box, select the required archives.
You can select up to 5000 archives from the case-level archive list.
- Click Apply.
The Attachments section lets you search for items with a certain number or type of attachments.
Specifies the required number of attachments. The default option, "Does not matter", means that the item can have zero or more attachments. All the other options require you to type one or two values that specify the required number of attachments.
Specifies the file name extensions of particular types of attachments for which to search. Separate the extensions with space characters. For example, type the following to search for items with HTML or Microsoft Excel file attachments:
This search option evaluates attachments by their file names
only; it does not check their file type. For example, suppose that a user changes the file name extension of a
The contents of some attachments may not be searchable because Enterprise Vault has not indexed them. In particular, file formats such as Fax and Voice do not have any indexable content.
Some Enterprise Vault registry entries prevent it from indexing the contents of selected file types. For example, this is the case with the ExcludedFileTypesFromConversion entry. For more information, see the Enterprise Vault Registry Values guide.
For more information on how Discovery Accelerator conducts searches in which you have specified file name extensions, see the following article on the Veritas Support website:
The Miscellaneous section lets you search for items of a certain size and type or that have the specified retention category.
Specifies the size in kilobytes of each item for which to search, as reported by the message store (Exchange, Domino, and so on). The item size includes the size of any attachments.
Searches for items of the selected types.
Include only non-indexed items
Lets you search for the unindexed items that do not normally appear in the search results, such as binary files and encrypted mail items.
If you check this option, you must leave the Content field empty.
Searches for items to which Enterprise Vault has assigned the selected retention categories.
The Policies section lets you search for items according to the tags with which any additional policy management software has classified them.
Lets you search for the items that match certain classification policies. There are several types of policies:
These policy types are not mutually exclusive. Your policy management software may apply multiple policies of different types to the same item. However, note that inclusion policies always take precedence over the other types of policies.
Select the required policy type and then check the names of the policies for which you want to search. Alternatively, you can selectas the policy type and then type the names of one or more policies. Separate multiple policy names with commas, like this:
If you choose to search for multiple policies, the search results will contain items that match any one of the policies.
Filter policies by current case
Lets you omit from the list those policies that are not in use in the current case.
The Custom attributes section lets you search for the items that have the specified attributes. When Enterprise Vault processes an item, it populates a number of the item's attributes with information and stores this information with the archived item. Some third-party software may also attach additional attribute information to items. If you know the name of an attribute that interests you, you can enter its details here as a custom attribute.
Note the following:
If you enter the details of several attributes, use the options in the Attribution inclusion box to determine whether the search results should match any of the attributes or all of them.
For attributes that accept string values, you can add the details of email targets or custodians by clicking thebuttons at the right of the boxes.
If you set Custodian Manager options to , it is important to understand how Discovery Accelerator processes the details of any custodian that you enter in a custom attribute field. Discovery Accelerator links the custodian's email address to the display name with either a Boolean AND operator or an OR operator, depending on what you choose in the Operator box. For example, with Operator set to , only items that match both the custodian's email address and the display name meet the search criteria; an item that matches just one of these details does not meet the search criteria. Set Operator to to link the email address and display name with an OR operator. Then any item that matches at least one detail (but not necessarily both) meets the search criteria.
To search for attribute information that third-party software has added to the X-Headers of SMTP items, add the prefix EVXHDR. to the name of the required attribute. For example:
The attribute name and value are case-sensitive.
Do not enclose attribute values in quotation marks if you want to indicate that they are phrases. Instead, selectas the operator for these attributes, if you have a choice. Alternatively, you can indicate that an attribute value is a phrase by replacing all the spaces with periods, as follows:
This technique lets you specify multiple phrase values for the same custom attribute. For example, consider the following attribute value:
Enterprise.Vault.Service.Account system DA.Administrator
This value matches "Enterprise Vault Service Account", "system", and "DA Administrator".