Forum Discussion
KQL query in exchange help
Hello. I'm struggling to build out a query and am getting lost. I have never used KQL and am hoping someone may be able to help me figure out how to write queries for the following 2 scenarios in eDiscovery search. I've tried building out the query for the first search since it seems to me that it would be the less complex of the two, but keep getting failures. I appreciate any assistance!
Search 1:
Exchange content timeframe: 1/1/2019-3/31/2019
Custodian: Bugs Bunny (source of exchange content)
Exclude exchange content between Bugs Bunny and Daffy Duck, but include all other content between Bugs Bunny and other parties; and exclude exchange content (including attachments) pertaining to ACME Operations Manager or Petunia Pig
Search 2:
Exchange content timeframe: 1/1/2019-3/31/2019
Custodian: Elmer Fudd (source of exchange content)
Exclude exchange content between Bugs Bunny and Daffy Duck, but include all other content between Bugs Bunny and other parties; and exclude exchange content (including attachments) pertaining to ACME Operations Manager or Petunia Pig
2 Replies
Did you ever resolve this?
I am in the process of doing something similar and the results of my searches are not making sense. The first search I attempt to get everything, then the 2nd is just privileged stuff and a 3rd only non privileged. The logic being if S1 is the same size as S2+S3 I have good results. This does not seem to work out, ever.
Here was my post, did not see yours until after i made it: eDiscovery KQL assistance- Hi. Yes, I was able to get a colleague to help me make a few minor tweaks to my query. I updated the list of keywords to exclude (and it was important that I used "NOT" instead of "-" for the exclusion operator). The query below returned results with the limitations I was seeking:
NOT (petunia OR "ACME Operations Manager" OR "manager - 12345" OR "other text") AND ((sent>2022-02-01 AND sent<2022-04-30) OR (received>2022-02-01 AND received<2022-04-30)) AND ((From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons) OR (From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons)) AND ((From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons) OR (From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons))
