Поделиться через


How to Use AQS to Construct Complex Discovery Queries

Introduction

Advanced Query Syntax (AQS) is used to create searches that can be used in Discovery Searches. The purpose of this blog is to show how to construct very complex search queries for Discovery Search using AQS.

AQS can also be used in Outlook online mode searches, Outlook cached mode searches, Outlook Web Access (OWA) searches, and file searches of the Windows operating system.

AQS is provided by through the Windows operating system using Windows Desktop Search (WDS). In order to create valid AQS searches, you must create fully qualified searches. Creating a fully qualified search involves adding a parenthesis every time you add a Boolean operator to the search. Boolean operators include AND, OR, and NOT.

 

Creating Fully Qualified AQS Searches

For example if you wish to search for the word settle and include variants such as settles, settled, and settlement, you can search for the following term:

settle*

The asterisk means that you will be searching for all terms beginning with the root settle. This is called prefix searching. In Exchange 2010 Discovery Search and in Exchange 2010 Service Pack 1 OWA search or later, you must add the asterisk.

In Outlook online mode and earlier versions of Exchange 2010 or Exchange 2007 OWA search, the asterisk is added for you by the system.

If you are not sure if the system is going to do prefix searching by default, you can always add the asterisk to make sure. However, you should avoid adding an asterisk after a very small number of letters or numbers (such as 1 or 2 letters or numbers), as this can bring very large sets of results or even cause the search to fail.

If you wish to search for the terms settle* OR double, because you are adding a Boolean operator, you need to add parentheses to make the search fully qualified:

(settle* OR double)

If you wish to search for the terms entrap* OR lawsuit you would enter the search this way:

(entrap* OR lawsuit)

 

Let us suppose you wish to find hits for a Discovery search that included the terms settle* OR double and also included the terms suit OR arraign*.

You would enter the search this way - first, place the two expressions next to each other:

(settle* OR double) (suit OR arraign*)

 

Then, add the logical operator AND:

(settle* OR double) AND (entrap* OR lawsuit)

 

The rule is that every time you an a Boolean logical operator (AND or OR or NOT), you must add a beginning and closing parentheses.

Since you have introduced a new Boolean operator (AND) to the expression, add a beginning and closing parentheses:

((settle* OR double) AND (entrap* OR lawsuit))

 

Since you have now created a fully qualified AQS query, the following expression will bring the same results as the query above:

((lawsuit OR entrap*) AND (double OR settle*))

 

In other words, ((settle* OR double) AND (entrap* OR lawsuit)) is equivalent to ((lawsuit OR entrap*) AND (double OR settle*)) – these searches will give the same results.

However, (settle OR double) and (entrap* OR lawsuit) is not equivalent to (lawsuit OR entrap*) AND (double OR settle*) – these searches will give different results.

The reason that these searches give different results is that in AQS, all queries must be fully qualified. Otherwise, the queries are invalid and will give incorrect results.

 

Creating Complex Fully Qualified AQS Queries

Remember - the rule in AQS is that every time you wish to add a new Boolean operator such as AND or OR or NOT to a query, you must add a new beginning and a matching ending parenthesis.

The chart below illustrates this principle:

Operators Parentheses Expression

0 0 settle*

1 11 (settle* OR double)

2 211 ((settle* OR double) OR depos*)

3 3111 (((settle* OR double) OR bond) OR depos*)

4 4111 ((((settle* OR double) OR bond) OR depos*) OR appeal*)

5 5111 (( (((settle* OR double) OR bond) OR depos*) OR appeal*) OR aquit)

6 6111 ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) OR aquit) OR brief*)

7 7111 ( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) OR aquit) OR brief*) OR claim)

8 8111 (( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) OR aquit) OR brief*) OR claim) OR convict*)

9 9111 ((( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) OR aquit) OR brief*) OR claim) OR convict*) OR docket)

10 10111 ( ((( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) OR aquit) OR brief*) OR claim) OR convict*) OR docket) OR inform*)

Group A

 

Here are two more examples:

Operators Parentheses Expression

0 0 entrap*

1 11 (entrap* OR lawsuit)

2 211 ((entrap* OR lawsuit) OR litigat*)

3 3111 (((entrap* OR lawsuit) OR litigat*) OR trial)

4 41111 ((((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*)

5 511111 (( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) OR affirm)

6 6111111 ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) OR affirm) OR complain*)

7 71111111 ( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) OR affirm) OR complain*) OR contract)

8 811111111 (( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) OR affirm) OR complain*) OR contract) OR judg*)

9 911111111 ((( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) OR affirm) OR complain*) OR contract) OR judg*) OR prejudice)

10 101111111111 ( ((( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) OR affirm) OR complain*) OR contract) OR judg*) OR prejudice) OR interrogat*)

Group B

Operators Parentheses Expression

0 0 indict*

1 11 (indict* OR insur*)

2 211 ((indict* OR insur*) OR triple)

3 3111 (((indict* OR insur*) OR triple) OR attorney)

4 4111 ((((indict* OR insur*) OR triple) OR attorney) OR dismiss*)

5 5111 ((((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt)

6 6111 ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*)

7 7111 ( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*)

8 8111 (( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*) or discover*)

9 9111 ((( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*) or discover*) or evidence)

10 10111 ( ((( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*) or discover*) or evidence) or liquidat*)

Group C

Combining Groups of Terms to Create More Complex Queries

If you want to combine terms in a very complex search, you can combine groups and add logical operators.

For example, if you first wish to take all the terms in Group A above and AND those terms with all the terms in Group B above and then you wanted to make sure that none of the terms in Group C would be found in the results combining A AND B, you would be create an expression something like this:

((Group A AND Group B) NOT Group C)

 

The first step is to add each group separately – we will take expressions with 3 terms each to illustrate:

((settle* OR double) OR depos*) ((entrap* OR lawsuit) OR litigat*) ((indict* OR insur*) OR triple)

 

Then we add the logical operators:

((settle* OR double) OR depos*) AND ((entrap* OR lawsuit) OR litigat*) NOT ((indict* OR insur*) OR triple)

Then we add the additional parentheses to AND Group A and Group B together to take care of the AND operator between Group A and Group B:

( ((settle* OR double) OR depos*) AND ((entrap* OR lawsuit) OR litigat*) ) NOT ((indict* OR insur*) OR triple)

Then we add the additional parentheses to the entire expression because we are adding the NOT operator

((((settle* OR double) OR depos*) AND ((entrap* OR lawsuit) OR litigat*)) NOT ((indict* OR insur*) OR triple))

Then we add the additional parentheses to AND Group A and Group B together to take care of the AND operator between Group A and Group B:

( ((settle* OR double) OR depos*) AND ((entrap* OR lawsuit) OR litigat*) ) NOT ((indict* OR insur*) OR triple)

Then we add the additional parentheses to the entire expression because we are adding the NOT operator

((((settle* OR double) OR depos*) AND ((entrap* OR lawsuit) OR litigat*)) NOT ((indict* OR insur*) OR triple))

We can do the same thing with 11 terms from each group - the first step is to add each group separately – we will take expressions with 3 terms each to illustrate:

( ((( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) or aquit) or brief*) or claim) or convict*) or docket) or inform*)

( ((( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) or affirm) or complain*) or contract) or judg*) or prejudice) or interrogat*)

( ((( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*) or discover*) or evidence) or liquidat*)

 

Then we add the logical operators:

( ((( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) or aquit) or brief*) or claim) or convict*) or docket) or inform*) AND

( ((( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) or affirm) or complain*) or contract) or judg*) or prejudice) or interrogat*) NOT

( ((( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*) or discover*) or evidence) or liquidat*)

 

Then we add the additional parentheses to AND Group A and Group B together to take care of the AND operator between Group A and Group B:

(( ((( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) or aquit) or brief*) or claim) or convict*) or docket) or inform*) AND

( ((( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) or affirm) or complain*) or contract) or judg*) or prejudice) or interrogat*)) NOT

( ((( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*) or discover*) or evidence) or liquidat*)

 

Then we add the additional parentheses to the entire expression because we are adding the NOT operator

((( ((( ((( (((settle* OR double) OR bond) OR depos*) OR appeal*) or aquit) or brief*) or claim) or convict*) or docket) or inform*) AND

( ((( ((( (((entrap* OR lawsuit) OR litigat*) OR trial) OR defend*) or affirm) or complain*) or contract) or judg*) or prejudice) or interrogat*)) NOT

( ((( ((( (((indict* OR insur*) OR triple) OR attorney) OR dismiss*) or bankrupt) or confirm*) or counsel*) or discover*) or evidence) or liquidat*))

Validating Matching Parentheses in AQS Queries

You can install and use Notepad++ to validate beginning and closing parentheses when creating AQS queries.

Notepad++
https://notepad-plus-plus.org/

 

Summary and Conclusion

Advanced Query Syntax (AQS) is used to create searches that can be used in Discovery Searches. AQS can also be used in Outlook online mode searches, Outlook cached mode searches, Outlook Web Access (OWA) searches, and file searches of the Windows operating system. AQS is provided by through the Windows operating system using Windows Desktop Search (WDS). In order to create valid AQS searches, you must create fully qualified searches.

Creating a fully qualified search involves adding a parenthesis every time you add a Boolean operator to the search. Boolean operators include AND, OR, and NOT.

In order to create complex valid AQS queries you can use in Discovery Search in Exchange 2010, use the chart above to build queries like the ones in the sample queries given above.

Use Notepad++ to validate beginning and closing parentheses when creating AQS queries.

 

Bob Want, Senior Support Escalation Engineer, Enterprise Communications Services, Microsoft

Comments

  • Anonymous
    June 13, 2014
    There are lots of great resources out there, so here is a link fest so you too can become an enlightened eDiscovery expert, and no you don’t need to be an IT everything expert.
  • Anonymous
    April 22, 2015
    I wish there was a real example with more then one word keywords. I've spent a great deal of time trying to locate this information and still struggle with the whole New-MailboxSearch -SearchQuery parameter as if I have multiple keywords with spaces along with multiple terms.


    So when I run this -SearchQuery ((("Jackson Cheater") AND ((("Parks and Recreation Board” OR "Park Events Taskforce") OR "Sometown Parks") OR "Recreation Department Board")) NOT ((news* OR newclips*) OR "City Media Activity Reports")) it gives me an error about missing a closing expression
  • Anonymous
    March 12, 2016
    If you use the gvim editor, you can see different colors for matching parens, and als use the % operator to match parens. If the cursor does not jump to the match parens, then you know it's missing.
  • Anonymous
    March 12, 2016
    The idea is to create your complex search with gvim so you can match all the parens, then cut/paste into Outlook/OWA