locked
Discovery seach does not return the correct messages RRS feed

  • Question

  • We're trying to produce what I thought would be simple reports on the entire mail database. We have a simple single Exch2010 box. When using the discovery search tool, it is returning WAY too much of the wrong info. I just want to put in keywords, restrict the FROM to a single @domain.com and limit by date. It seems like the tool would do such a simple thing, but it doesn't seem to filter out on the FROM at all. It just does the keywords and dates. Without the limit on the From domain there are thousands of incorrect hits.

    I have the latest CU's, the user is definitely part of the discovery role group, it works on just keywords, but its just spewing all kinds of useless information. Anyone have any ideas? I really don't use powershell and would prefer not to since I have a bunch of these to do in various options, but I can't trust the data.


    Curt Kessler - FLC

    Thursday, February 27, 2014 10:20 PM

Answers

  • Hi Curt,

    To know more about the issue, could you please let me know the search query you specified which give unexpected result? Since you mentioned you don’t want to use shell, are you using ECP? When perform the search, how did you specify the “Keywords” and “Messages To or From Specific E-mail Address”? Which mailbox did you use as the destination mailbox to store the search result?

    I recommend not choose the “Include items that can’t be searched” and “Enable deduplication” option. Please try again and give me a screenshot of the result if still other emails from other senders appear in the search result. Please set the keywords as format

    “Keywords”1 AND (“Keywords2” OR “Keywords3”)

    Note: If we only specify one keywords, what’s the result? Please test and check.

    Meanwhile, to narrow down the issue, it’s recommend to use shell to search, it’s useful to test the issue and verify if the same result using the same search queries and still emails form other senders appear. For example:

    New-MailboxSearch -Name "Search-20140307" -TargetMailbox “Target mailbox to store the search result” -StartDate "01/01/2014" -EndDate "03/07/2014" -Senders "sender email address or domain name" -SearchQuery "search keywords" -ExcludeDuplicateMessages

    For more information about discovery search, we can refer to the following articles:

    Title: Mailbox Search

    Link1: http://technet.microsoft.com/en-us/library/dd298064(v=exchg.141).aspx

    Link2: http://technet.microsoft.com/en-us/library/dd335072(v=exchg.141).aspx#PDS

    Link3: http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/managing-multi-mailbox-search-exchange-server-2010-part2.html


    Regards, Eric Zou

    Friday, March 7, 2014 8:51 AM

All replies

  • Discovery Search depends on content indexing. I would start by ensuring that indexing is working properly.

    You can check the state of the content index in EMC by selecting Organization Configuration -> Mailbox -> Select the database in question and check the result pane under the content index column. Alternatively in powershell it's:

    Get-mailboxdatabase "Name of database" | get-mailboxdatabasecopystatus

    If it is not healthy, you can check the Microsoft Exchange Search service, the event log, and/or run:

    Test-ExchangeSearch -Identity "user on the database in question"

    Since it appears as though you do not have multiple copies of the database, you may want to run the ResetSearchIndex.ps1 from your Scripts folder to re-crawl your database and re-create the index.

    Also, can you post an example of the exact criteria you're trying to search for? I can attempt to re-create your issue in my lab to get to the bottom of it that way also. Please include the Service Pack and Rollup Update level of your Exchange Server so I can most closely match your environment.

    Hope this helps!


    Woody Colling, MCITP Exchange 2010
    -----Please remember to mark answers appropriately-----

    Friday, February 28, 2014 3:49 AM
  • Woody--thanks for the reply. I checked the database, the index status is Healthy and I do get results when doing searches. In fact that's the real problem, I'm getting way too much. For example, if I put mail FROM a specific person (or @domain.com) I get mail not only from them, but from hundreds of others that look like they have no relation to the query. After going through multiple searches, it looks like discovery search can do keywords and date filtering, but basically nothing else has any effect on the search.

    I have Exchange 2010/SP3/UR4 (fully patched). The index is healthy.

    Basically I try putting in keywords "commission" OR "bonus" and restricting by a FROM address or @domain. Set restrictions on date range for the past two years, put in the discovery mailbox and de-duplicate. I get a huge pile of mail without any regard to the FROM field.

    Any help would be appreciated. thanks!


    Curt Kessler - FLC

    Friday, February 28, 2014 6:44 PM
  • Hi Curt,

    To know more about the issue, could you please let me know the search query you specified which give unexpected result? Since you mentioned you don’t want to use shell, are you using ECP? When perform the search, how did you specify the “Keywords” and “Messages To or From Specific E-mail Address”? Which mailbox did you use as the destination mailbox to store the search result?

    I recommend not choose the “Include items that can’t be searched” and “Enable deduplication” option. Please try again and give me a screenshot of the result if still other emails from other senders appear in the search result. Please set the keywords as format

    “Keywords”1 AND (“Keywords2” OR “Keywords3”)

    Note: If we only specify one keywords, what’s the result? Please test and check.

    Meanwhile, to narrow down the issue, it’s recommend to use shell to search, it’s useful to test the issue and verify if the same result using the same search queries and still emails form other senders appear. For example:

    New-MailboxSearch -Name "Search-20140307" -TargetMailbox “Target mailbox to store the search result” -StartDate "01/01/2014" -EndDate "03/07/2014" -Senders "sender email address or domain name" -SearchQuery "search keywords" -ExcludeDuplicateMessages

    For more information about discovery search, we can refer to the following articles:

    Title: Mailbox Search

    Link1: http://technet.microsoft.com/en-us/library/dd298064(v=exchg.141).aspx

    Link2: http://technet.microsoft.com/en-us/library/dd335072(v=exchg.141).aspx#PDS

    Link3: http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/managing-multi-mailbox-search-exchange-server-2010-part2.html


    Regards, Eric Zou

    Friday, March 7, 2014 8:51 AM
  • Hi Curt,

    How are you going? This is Eric. Please feel free to let me know if any update on this issue.


    Regards, Eric Zou

    Tuesday, March 11, 2014 9:55 AM