Searching the Archive

Document created by user.oxriBaJeN4 Employee on Sep 11, 2015Last modified by user.Yo2IBgvWqr on Sep 22, 2017
Version 20Show Document
  • View in full screen mode

The archive search allows administrators to perform a full search across all emails in the archive, including ingested historical email data. The ability to search the Mimecast archive instantly for email data, provides the administrator with access to email delivery information. This aids in troubleshooting email delivery queries. Administrators with appropriate permissions are also able to read the contents of emails in the archive, forward emails to internal users, or export emails from the Mimecast platform. Archive searches can also be saved with their search parameters for repeated use.

 

Once emails have been indexed, de-duplicated, compressed and encrypted, they are moved to the Mimecast storage grid and archived. The length of time emails are retained is dependent on your account retention settings. When an email is archived, this includes both the content and the metadata associated with email delivery and processing.  An archive search allows administrators to trace emails and troubleshoot email delivery. Depending on their permissions, they will either be able to view the metadata of the email, or view both the content and metadata.

Several methods are also available to modify email retention. For more information, view the full article.

Searching the Archive

An accepted message is not archived if it has a retention period of three days or less, but remains in the Accepted Email queue until it expires.

In order to produce the most relevant results when using the Archive search, it is important to make the search parameters as specific as possible.  For example, add details such as the search text, dates, sender and recipient where appropriate.

 

To search the archive:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Archive | Archive Search menu item  The search screen is displayed:

    You can use parenthesis to group search terms. For example, (HUD OR Fannie OR Freddie OR FHA) AND (price OR fee OR cost) would return "HUD cost" "Fannie price" "FHA fee" etc. We recommend that you avoid including quotation marks when searching for terms, as this will likely result in poor search results.

    Field NameDescription
    Search Text

    This field is used to specify the text to search for and allows searches to be performed using Boolean search parameters. When entering the text, it can be entered exactly, or if you’re not sure, you have the ability to use some wild card characters.

    Wild Card CharacterText EnteredSearch Results Returned
    An asterisk * to indicate unknown lettersdocu*Results containing words beginning with “docu” such as "document"
    A question mark ? to indicate a single unknown letterpracti?eResults containing words such as “practice” or “practise”
    A space between words implies an AND optiontraining exerciseResults containing both "training" and "exercise", but the words may not be adjacent to one another
    Use the OR option between words to extend your searchfred OR jim OR joeResults containing either "fred", "jim" or "joe", or a combination of these words
    An exclamation mark ! before a word executes the NOT option to exclude words from the search.

    The exclude option cannot be used on it's own. Text to be included must be used at the same time, as shown in the example text entered.

    fred !joeResults containing "fred" but not "joe" (if a message includes both fred and joe, it would not be included in the results)
    Entering text within quotation marks allows you to search for exact phrases"knowledge base"Results containing the exact phrase "knowledge base"
    Searching for Calendar itemsContent-Type: text/calendarResults containing Calendar items
    A tilde character followed by a number (e.g. ~6) to search for one word in proximity to another.

    "more optimization" ~6

    Results in sentence where the word "more" is within six words of the word "optimization". For example, "More efficient I/Os through Read/Write optimization".

     

    The following terms are automatically excluded from the search: "a", "an", "and", "are", "as", "at", "be", "but", "by", "for", "if", "in", "into", "is", "it", "no", "not", "of", "on", "or", "such", "that", "the", "their", "then", "there", "these", "they", "this", "to", "was", "will", "with". These common words are not indexed by Mimecast when an email is archived, and therefore are ignored when the search query is performed. This also applies when using phrases (as described in the example list above). For example, when searching for "training the customers", Mimecast will return results including "training the customers", "training with customers", "training at customers", etc.

    Archive Searches can only start with valid search text. Wildcards or other search parameters, such as '!', used as the first character in the search string will cause the search to fail.

    Email Areas to Search WithinSearches can be applied across one or more parts of the message. For example "Subject Line", "Message Header", "Message Body", Attachment", "Attachment Types", or "Attachment Name".

    If searching across multiple areas, results are returned where the search string is present in ANY of the specified locations. For example, searching for "Apples" and "Oranges", and searching both the "Subject Line" and "Message Body", the results will include messages with both "Apples" and "Oranges" in either the subject or the body. This is also true when enacting the NOT option. For example, when searching for "Apples" and "!Oranges", and searching both the "Subject Line" and "Message Body", the results will contain messages where "Apples" but not "Oranges" appear in either the subject or the body.

    Include Litigation Hold Messages

    Messages on Litigation Hold remain available to Administrators beyond their normal expiry date. If this option is checked (unchecked by default), the search will include items on Litigation Hold which have exceeded their expiry date. If this option is unchecked then the search will not include these messages.

    Messages on Litigation Hold which have not yet reached their normal expiry date will be included in both cases.

    Search Within Smart TagIf a Smart Tag is selected using the Lookup button, the search results will be filtered to only return the results from that Smart Tag.  Use the X to clear a selected Smart Tag.

     

    Additional Search parameters can be specified within the Search Filters and Options section.  To ensure that only relevant search data is returned, it is important to specify as many filters as possible:

     

    Field NameDescription
    From Address (or Domain) and To Address (or Domain)

    Use the From and To fields by entering the email address or domain name(s) to specify the sender or recipient addresses respectively.  Some additional points to be aware of when entering these details include:

    • You cannot use a wildcard at the beginning of the entry
    • If you are looking for multiple addresses, list them by separating them with a space
    • If you are not sure of the full email address, enter the name part and then add a wildcard (*) for the domain portion
    • You can use the term NOT to specify an email address or domain name to exclude from the search results, i.e. domain.com NOT admin@domain.com.

    If you've an Address Alterations Policy, the address must be the new address.

    From Date and To DateBy default,  the search is performed over the last month's worth of email data.  The date criteria can be adjusted as required using the calendar controls, and is based on the sent date of the email. The time field also allows more granularity when looking for a particular email.
    Route FilterThe Route Filter is used to target the specific route of the email traffic, which is either All routes, inbound (from an external sender to an internal recipient), outbound (from an internal sender to an external recipient) or internal (sent from one internal user to another internal user). The default is set to all routes.
    Results sort order

    This can be set to display the search results in one of three ways - Descending Date Order (most recent emails appear first), Ascending Date Order (oldest emails appear first), and Relevance Order (the emails that match the search criteria more closely appear first). The default is Descending Date Order.

    Relevance Order can be helpful in narrowing down a search by showing the most specific results first. Therefore if you did a search using the text “meet*” and selected Relevance Order, emails with the word “meet” would be shown first, and then other matches (for example, “meets” or “meeting”) would follow.

    Once the search results are displayed, the View menu can be used to re-sort the results.

  4. Click the Search button to initiate the Search.  Email results are displayed in a list format, as per the search criteria specified above.
    Archive Search Results

 

Working With the Search Results

 

  • By default, search results are displayed 100 records at a time. This can be increased incrementally to a maximum of 1000 records. The page navigation arrows on the top right side of the screen (next to the Row count) can be used to move from one page of results to the next.
  • With the correct permissions, administrators can forward or export selected messages from the Archive.
  • The sender, recipient, and subject of each message is displayed in the search results, along with the mail flow direction and attachments (specified below). The total size of the message and sent date of the email are also displayed.
  • The View menu allows you to sort the search results by date, relevance, address, or subject.
  • Click on a message to view it's content and metadata:
    • If you've the correct permissions, the body of the message is displayed. However administrators can access the metadata by selecting the View drop down menu.
    • Standard administrators can only view the header and transmission information in the message body.
    • Additional metadata can be accessed by all administrators to determine email delivery. For more information, see the related article on Email Receipt and Delivery Views.

End users have the ability to perform a personal archive search by using Mimecast user services. However this only cover messages where they are the sender or recipient.

3 people found this helpful

Attachments

    Outcomes