KQL query in Content Search

Bosco Joseph · ‎Jun 27 2017

Am trying to perform a content search based on an exact subject phrase in an email that was inadvertenty sent to a lot of users in the org, but keep getting more results than what i actually expected.

The original message was system generated from an intune exchange compliance policy.

e.g here is what i was looking for in my query

Subject: "Action required to access your org's email on your device"

But the results return messages that were forwarded/replied to the original msg.

any idea how i can tweak this query to return an extact subject string match

Vasil Michev · ‎Jun 27 2017

The colon notation (:) translates to "contains". If you want exact match, you can use a condition with the equal sign (=). At least according to the documentation that is. In reality, doesnt seem to work.

So the workaround is to exclude anything that starts with the subject, which of course is a crapy way to do this but the only one that seems to work. For example, this should work in your case:

subject="Action required to access your org's email on your device" -subject="RE: Action required to access your org's email on your device"

You will have to account for the different variations of this because of languages, also for forwarding, etc...

Bosco Joseph · ‎Jun 28 2017

Thx Vasil

I was able to get it to work with the following query

Subject: "Action required to access your org's email on your device" NOT subject:”FW” NOT subject:”RE”

Vasil Michev · ‎Jun 28 2017

But those two will only work for English language settings, if you have users using other languages you will have to account for the corresponding abbreviations :)

KQL query in Content Search

KQL query in Content Search

Re: KQL query in Content Search

Re: KQL query in Content Search

Re: KQL query in Content Search

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

KQL query in Content Search