KQL query in Content Search

%3CLINGO-SUB%20id%3D%22lingo-sub-82506%22%20slang%3D%22en-US%22%3EKQL%20query%20in%20Content%20Search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82506%22%20slang%3D%22en-US%22%3E%3CP%3EAm%20trying%20to%20perform%20a%20content%20search%20based%20on%20an%20exact%20subject%20phrase%20in%20an%20email%20that%20was%20inadvertenty%20sent%20to%26nbsp%3Ba%20lot%20of%20users%20in%20the%26nbsp%3Borg%2C%20but%20keep%20getting%20more%20results%20than%20what%20i%20actually%20expected.%3C%2FP%3E%3CP%3EThe%20original%20message%20was%20system%20generated%20from%20an%20intune%20exchange%20compliance%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ee.g%20here%20is%20what%20i%20was%20looking%20for%20in%20my%20query%3C%2FP%3E%3CP%3E%3CSPAN%3ESubject%3A%20%22Action%20required%20to%20access%20your%26nbsp%3Borg's%20email%20on%20your%20device%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBut%20the%20results%20return%20messages%20that%20were%26nbsp%3Bforwarded%2Freplied%20to%20the%20original%20msg.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSPAN%3Eany%20idea%20how%20i%20can%20tweak%20this%20query%20to%20return%20an%20extact%20subject%20string%20match%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83337%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20query%20in%20Content%20Search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83337%22%20slang%3D%22en-US%22%3E%3CP%3EBut%20those%20two%20will%20only%20work%20for%20English%20language%20settings%2C%20if%20you%20have%20users%20using%20other%20languages%20you%20will%20have%20to%20account%20for%20the%20corresponding%20abbreviations%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83327%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20query%20in%20Content%20Search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83327%22%20slang%3D%22en-US%22%3E%3CP%3EThx%20Vasil%3C%2FP%3E%3CP%3EI%20was%20able%20to%20get%20it%20to%20work%20with%20the%20following%20query%3C%2FP%3E%3CP%3ESubject%3A%20%22Action%20required%20to%20access%20your%20org's%20email%20on%20your%20device%22%20NOT%20subject%3A%E2%80%9DFW%E2%80%9D%20NOT%20subject%3A%E2%80%9DRE%E2%80%9D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82525%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20query%20in%20Content%20Search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82525%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20colon%20notation%20(%3A)%20translates%20to%20%22contains%22.%20If%20you%20want%20exact%20match%2C%20you%20can%20use%20a%20condition%20with%20the%20equal%20sign%20(%3D).%20At%20least%20according%20to%20the%20documentation%20that%20is.%20In%20reality%2C%20doesnt%20seem%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20the%20workaround%20is%20to%20exclude%20anything%20that%20starts%20with%20the%20subject%2C%20which%20of%20course%20is%20a%20crapy%20way%20to%20do%20this%20but%20the%20only%20one%20that%20seems%20to%20work.%20For%20example%2C%20this%20should%20work%20in%20your%20case%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Esubject%3D%22Action%20required%20to%20access%20your%26nbsp%3Borg's%20email%20on%20your%20device%22%20-subject%3D%22RE%3A%20Action%20required%20to%20access%20your%26nbsp%3Borg's%20email%20on%20your%20device%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20will%20have%20to%20account%20for%20the%20different%20variations%20of%20this%20because%20of%20languages%2C%20also%20for%20forwarding%2C%20etc...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Am trying to perform a content search based on an exact subject phrase in an email that was inadvertenty sent to a lot of users in the org, but keep getting more results than what i actually expected.

The original message was system generated from an intune exchange compliance policy.

 

e.g here is what i was looking for in my query

Subject: "Action required to access your org's email on your device"

 

But the results return messages that were forwarded/replied to the original msg.

 any idea how i can tweak this query to return an extact subject string match

3 Replies

The colon notation (:) translates to "contains". If you want exact match, you can use a condition with the equal sign (=). At least according to the documentation that is. In reality, doesnt seem to work.

 

So the workaround is to exclude anything that starts with the subject, which of course is a crapy way to do this but the only one that seems to work. For example, this should work in your case:

 

subject="Action required to access your org's email on your device" -subject="RE: Action required to access your org's email on your device"

 

You will have to account for the different variations of this because of languages, also for forwarding, etc...

Thx Vasil

I was able to get it to work with the following query

Subject: "Action required to access your org's email on your device" NOT subject:”FW” NOT subject:”RE”

But those two will only work for English language settings, if you have users using other languages you will have to account for the corresponding abbreviations :)