Sdílet prostřednictvím


Use the Query Report to create keyword reports for KeyQL queries (preview)

When you filter in a review set, it can be difficult to compare filtered results when using multiple saved queries. The Query Report helps you generate and download a consolidated report on multiple queries for a review set. This report lets you quickly see the total count and volume of filtered items on a particular keyword search or multiple compound KeyQL queries.

Select an individual query report item to review specific filtered items. You can select individual items and view the source, plain text, and metadata information for an item.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Create a query report

To create a query report in a review set, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.

  2. Select the eDiscovery solution card and then select Cases.

  3. Select a case, then select the Review sets tab.

  4. Select the review set that you want to export and select Open review set.

  5. Select Actions > Query Report (preview).

  6. On the Query Report (preview) page, enter your search queries and separate each with a line break (pressing enter on your keyboard). A report is generated for each search query line.

    For example, if you want to filter by:

    • a keyword confidential in items for one query,
    • a filter for two keywords confidential and Project Infinity in items for another query,
    • and filter using a complex KeyQL statement (((FileClass="Email") AND (InclusiveType="InclusiveMinus" OR InclusiveType="Inclusive")) OR ((FileClass="Attachment") AND (UniqueInEmailSet="true")) OR ((FileClass="Document") AND (MarkAsRepresentative="Unique")) OR (FileClass="Conversations")) for a third query,

    You would use the following values on separate lines in the Query Report (preview) search query field:

    condfidential
    confidential AND Project Infinity
    (((FileClass="Email") AND (InclusiveType="InclusiveMinus" OR InclusiveType="Inclusive")) OR ((FileClass="Attachment") AND (UniqueInEmailSet="true")) OR ((FileClass="Document") AND (MarkAsRepresentative="Unique")) OR (FileClass="Conversations"))

  7. Select Generate report.

The results of the queries are summarized with the following information displayed for each query:

  • KQL: The Kusto Query Language (KQL) statement used for the filter query.
  • Locations with hits: The number of locations with filter query hits.
  • Count: The number of items in the filter result.
  • Percentage: The percentage of hits in the total count of items.
  • Size: The file size of the items with hits.

Using the Query Report

To view the individual items returned by the filter queries, double-click the filter query line in the report. Select an individual item to view item details. The item information is read-only, you can't annotate, modify, or export these items.

To download the report summary information for the filter queries, select Download report to create a .csv file containing this information. Filter queries aren't saved when you exit the Query Report.