Performing a search
With the Search Server, one can find all the DeviceLock Enterprise Server log records in which a certain word or text fragment occurs. Since search queries usually return a large number of results, the Search Server provides a number of options to fine tune and optimize the search. These options make it possible to specify exactly what search results should be returned.
Using search options, one can:
•Filter search results by date, log, sender, recipient, file type, source, etc. Thus, using a filter, one could limit search results to certain logs and a given date range.
•Set the number of search results per page.
For a description of the search options along with instructions on setting up and executing a search, see
Steps to perform a search.
Having completed a search, the server returns a search results page, divided into the following view areas:
•
Search query - Displays the search criteria that were used by the search.
•
Statistics bar - Shows the number of results displayed on the current search results page.
•
Search results - Displays a numbered list of items containing information that matched the search criteria.
•
Results navigator - Shows how many results pages are returned, and allows one to navigate from page to page.
For more information, see
Working with search results.
Here are some notes to consider when using full-text search:
•It is possible to search individual fields that appear in the Log Parameters and Document Parameters sections of a search result. For such a search, use the following syntax: <field name>::<value>. For example: File Name::Prices.docx.
You can search by multiple field name-value pairs, having enclosed each pair in parentheses. For example, a search for (File Name::secret) (File Type::Excel) will return Excel files that contain the word secret in the file name.
Important: Field names should be specified case-sensitive. The lowercase and uppercase letters in the field name are considered different. |
•Searching the UAM Log also searches keyboard input records. It is possible to search for fragments of text and for passwords that the user entered. Passwords are searched for by the value of the Passwords field in user activity records: Passwords::<value>. For example, you can use the following syntax to find records that contain any passwords: Passwords::?* (an asterisk without a question mark would match any password or no password).
•Search request string can include logical operators, such as
AND and
OR. A space between words is equivalent to
AND. A semicolon (;) is equivalent to
OR. Logical operators must be typed uppercase. For further details, see
About logical operators.
•Search request string is not case sensitive except for search by field value. Field names are case-sensitive.
•Stemming is enabled by default. Stemming extends a search to cover grammatical variations on a word. Thus, the request applied would also retrieve applying, applies, and apply. Stemming is supported for English, French, German, Italian, Portugal, Russian, and Spanish.
•Search request string can include wildcard characters such as asterisks (*) and question marks (?). An asterisk denotes any series of characters or no characters. The question mark denotes any single character. You can use any number of wildcard characters in any position.
•To search for a specific phrase, enclose the phrase in double quotes in the search request string. To search for multiple words, separate each word with a space.
The following table shows the search items, examples, and results of different search types.
Search item | Example | Results |
Single word | price | Results that contain the word price. The search will also find grammatical variations, such as prices, priced, and so on. |
Phrase | confidential information | Results that contain both of the individual words confidential and information, rather than the exact phrase. |
“confidential information” | Results that contain the exact phrase confidential information. |
Wildcard search | te?t | Results that contain test, text, and so on. |
mone* | Results that contain money, monetary, and so on. |
*air | Results that contain air, fair, impair, affair, and so on. |
“* assets” | Results that contain phrases ending with assets, such as monetary assets, liquid assets, fixed assets, current assets. |
Boolean search | price AND quality | Results that contain both price and quality. |
price quality |
price OR quality | Results that contain either price or quality, or both of these words. |
price; quality |
Search by field | (Action::Message) (Recipient:: john.smith@domain.com) (Attachments::.doc) (Attachments::.pdf) | All e-mail messages with .pdf and .doc attachments sent to john.smith@domain.com. |
(Action::Chat) (File Name::Mike) | All instant messages sent to/from the user Mike. |
(File Name::secret) (File Type::Excel) | Excel files with the name containing secret, transmitted via any supported channel. |
(File Type::Acrobat) (Source::File Sharing) (File Size::100~~200 MB) | PDF files of the size between 100 and 200 MB, uploaded to file sharing sites or downloaded from such sites. |
Moreover, the Search Server supports advanced syntax in search query strings.
Character | Meaning | Description |
= | any single digit | N=== would match N123 but not N1234 or Nabc. |
- | exclude | Put - (dash) in front of a word or phrase to exclude it from search results. E.g. -“monetary assets” |
% | fuzzy search | Fuzzy searching will find a word even if it is misspelled. The number of the added characters % determines the number of differences ignored when searching for a word. The position of the characters % determines how many characters at the beginning of the word have to match exactly. Fuzzy searching can be useful when searching text that contains misspelled words. E.g. inf%%ormation would find words beginning with inf and spelled with no more than two differences from the word information. |
# | phonic search | Phonic searching looks for a word that sounds like the given word and begins with the same letter. Phonic searching is somewhat slower than other types of searching and tends to make searches over-inclusive. For the English language only. E.g. #smith would find smithe and smythe. |
& | synonym search | Synonym searching finds synonyms of the word specified in the search request. For the English and Russian languages only. E.g. fast& would also find quickly. |
~~ | numeric range | A numeric range search is a search for any numbers that fall within a range. To add a numeric range to a search request, enter the upper and lower bounds of the search separated by ~~. A numeric range search includes the upper and lower bounds. Decimal points and commas are treated as spaces and minus signs are ignored. E.g. 500~~1000 would find text containing numbers between 500 and 1000. |
: | variable term weighting | By default all words in a request count equally in counting hits. However, this can be changed by specifying the relative weights for each term in the search request. E.g. money:5 information:1 would retrieve the same documents as money information but the Search Server would weight money five times as heavily as information when sorting the results. |
## | regular expression | Regular expressions provide a way to search for complex combinations of characters. In a search request, a regular expression must be enclosed in double quotes and must begin with ##. Search Server employs the TR1 implementation of regular expressions (for details, see
msdn.microsoft.com/library/bb982727.aspx). A regular expression can only match a single word or group of digits. No case conversion is done on regular expressions, so a regular expression must match the case of the string data stored in the index. The search speed depends on the placement of the regular expression in the search query: the closer the expression is to the beginning of the word, the longer the search takes. |
About logical operators
The Search Server supports “Boolean” search requests where words or expressions are united by logical operators such as AND or OR. Examples:
•price AND quality - Both words must be present.
•price OR quality - Al least one of these words must be present.
•price W/3 quality - The word “price” must occur within 3 words of the word “quality”.
•price NOT W/3 quality - The word “price” must occur, but not within 3 words of the word “quality”.
•price AND NOT quality - The word “price” must be present whereas the word “quality” must be missing.
In the case of more than one operator, use brackets to avoid ambiguity of the search request. For example, the request price AND quality OR quantity could mean (price AND quality) OR quantity, or it could mean price AND (quality OR quantity). For best results, always enclose expressions with logical operators into brackets.
The following logical operators are supported:
AND/OR operators
Use the AND operator to combine two words or expressions, both of which must be present in every search result.
Use the OR operator to combine two words expressions, at least one of which must be present in every search result.
W/N and PRE/N operators
Use the W/N operator to specify that one word or phrase must occur within N words of the other. For instance, the request price W/3 quality would return results that contain the word “price” within 3 words of the word “quality”.
The PRE/N operator is like W/N but also specifies that the first expression must precede the second one. For instance, the request price PRE/3 quality would return results that contain the word “price” at most 3 words before the word “quality”.
To avoid ambiguity of the search request, at least one of the two expressions united by W/N or PRE/N should be a single word or phrase, or a group of words and phrases united by OR.
The identifier xfirstword is provided to mark the first word of a search item. In conjunction with the W/N operator, this identifier enables searching for certain words or expressions in the vicinity of the item’s beginning. For instance, the request price W/3 xfirstword would return results that contain the word “price” within 3 words of the first word in a message or file.
NOT and NOT W/N operators
Use the NOT operator at the beginning of the expression to reverse its meaning. This allows the items matching the expression to be excluded from the search results.
The NOT operator can be put at the beginning of the search request. In this case, it reverses the meaning of the entire request. For instance, the request NOT (price W/3 quality) would return results that do not contain the word “price” within 3 words of the word “quality”.
If the NOT operator is used between expressions, then it should be supplemented with another operator, such as AND or OR. Thus, the request price AND NOT quality would return results that contain the word “price” and do not contain the word “quality”.
The combination of the NOT and W/N operators (meaning “not within”) can be used to search for a word or phrase not in association with another word or phrase. For instance, the request price NOT W/3 quality would return results that contain the word “price”, but not within 3 words of the word “quality”. Note that unlike the W/N operator, NOT W/N is not symmetrical, so the request price NOT W/3 quality is not the same as the request quality NOT W/3 price.