Using Advanced Query Syntax for searching in Exchange 2010.


I’ve noticed for some time now that we don’t have a lot of documentation on searching in Exchange 2010 which I believe has led to our customer having issues when doing searches in their environments.  I’ve noticed that a majority of search cases I’ve handled were related to inconsistent results, which have been resolved by using AQS to define the search rather than running a very broad search.
 
When using AQS to search it enables your query to be more defined, for example if you’re looking for an email with the subject of “please review this email”, and you want to find any user who has this email if you run:
 
Without AQS:
get-mailbox | search-mailbox -searchquery “please review this email” -TargetMailbox administrator -targetfolder search  
 
The results that this will give you will be skewed, you will receive emails that have the subject of that, that phrase in the body, possibly even if that phrase is the name of an attachment or it is contained within the attachment itself.  When using AQS you can define where you want to search specifically.
 
With AQS:
Get-mailbox | search-mailbox -searchquery ‘subject:Please review this email’ -TargetMailbox administrator -targetfolder search
 
This query will specifically look for emails with the subject “please review this email” and not return results from the body or any attachments.  This will improve your search results dramatically!
 
Now what if you want to define it even further, what if you want to find emails with that subject, but were send from a specific employee, let’s say Steven Brown?  Well for that you can build upon your query like this.
 
Get-mailbox | search-mailbox -searchquery ‘(subject:Please review this email) AND (from:Steven brown)’ -TargetMailbox administrator -targetfolder search   
 
So the above command will find email with a specific subject and from a particular user.  I used my lab to show an example of the expected results.  Below is a snapshot of user303’s inbox.  It’s important to remember that you want to wrap the query in a single quotation so it knows where the query starts and ends, the parenthesis helps separate the different Boolean parameters you have in place. 
 

 
Now for an example I’m going to run a search where I’m looking ONLY for emails with the subject “search test 3” and from “user302”, my query will look like this.
 
-SearchQuery ‘(subject:search test 3) AND (from:user302)’
 

 
With the search-mailbox you have the option to either copy the emails to a mailbox or delete the content with the -deletecontent switch, I’ve elected to copy the messages.
 

 
So as you can tell we only got results for our specific query, the email “search test” was not included in our results.  I really hope this helps everyone define they’re searches and avoid any issues or search timeouts!  I have also included a link to the documented AQS page for you to reference, this will have the available Boolean operators you can use as well as how to incorporate Boolean properties into your queries.  Biggest advice I can give is to just keep trying different variations of the query if you don’t get your expected results, a lot of times the logic of the query is correct, it may just be a parenthesis out of place or quotation.

https://msdn.microsoft.com/en-us/library/aa965711.aspx – Advance Query Syntax

All the best!

Comments (2)

  1. Tom says:

    While I appreciate this article, what about the more difficult searches that involve subject lines that contain a colon (“:”)? For instance, I have a subject line as follows:

    RE: this is bad email

    If I try to do a search using (subject:RE: this is bad email) or subject:”RE: this is bad email” the search does not return the results, and depending on the syntax used can actually return an error. I would assume this is because the colon is used as part of the query language itself, but I have not found a way to get the search to work. Some have suggested using the escape character (`) before the colon, but that does not work. Can you enlighten us as to how to solve this problem? Also, how about subject lines with quotes in them?

    1. Hello Tom,

      My apologies on the extremely late response, long story :). The easiest way to explain the reply question is that search doesn’t recognize the RE: in subjects so you’d setup your query just like you would if it wasn’t a reply. Now if you wanted JUST replies that is a bit more difficult. The easiest way I’ve found to do this is to apply another filter, like a user or date.

      search-mailbox “user” -searchquery ‘subject:(this is bad) AND (from:user)’

      Obviously not ideal, but it will allow you to grab the messages for review and find out any further criteria you can filter on if you want to execute a delete command.

      This one is a bit more complicated because of the quotations and I’d have to test it out, however I feel if you split them up or even run it as one query the quotations shouldn’t cause much of an issue as long as you don’t put them in the query and don’t run the query in quotations to look for exact.

      search-mailbox “user” -searchquery ‘subject:please read this important email’

      or if that doesn’t allow it you can try this.

      search-mailbox ‘User’ -searchquery ‘subject:(please read this) AND (important)’

      Unfortunately when special characters are put into email subjects it can cause some real issues with AQS queries, when that happens we must become a bit more creative on what criteria we filter on. I think I’ve completely destroyed my labs testing something so I haven’t been able to test, but I will and reply back to this asap.

      Thanks,

      Justin Haugen

Skip to main content