Veritas Enterprise Vault™ Discovery Accelerator Reviewer's Guide

Last Published:
Product(s): Enterprise Vault (12.2)
  1. Introducing Discovery Accelerator
    1.  
      Key features of Discovery Accelerator
    2.  
      About the Discovery Accelerator client
    3.  
      Opening the Discovery Accelerator client
    4.  
      Finding your way around the Discovery Accelerator client
  2. Searching for items
    1. Creating and running Discovery Accelerator searches
      1.  
        Limitations on searching certain types of Skype for Business content
    2.  
      About the search criteria options
    3.  
      Guidelines on conducting effective searches
  3. Manually reviewing items
    1. About reviewing with Discovery Accelerator
      1.  
        Limitations on reviewing certain types of Skype for Business content
    2.  
      About the Review pane
    3.  
      Filtering the items in the Review pane
    4. Searching within the review set
      1.  
        Conducting quick searches
      2. Conducting advanced searches
        1.  
          About the search attributes
        2. About the operators
          1.  
            Guidelines on using the NEAR operator condition in Discovery Accelerator rules
        3.  
          About SQL Server stopwords
        4. Manually editing queries in analytics rule definition language (RDL)
          1.  
            Using parentheses to set Boolean precedence in analytics RDL
          2.  
            Using stemming in analytics RDL
          3.  
            Specifying custodian and target values in analytics RDL
    5.  
      Finding all items in the same conversation
    6.  
      Assigning review marks and tags to items
    7.  
      Adding comments to items
    8.  
      Viewing the history of items
    9.  
      Displaying printable versions of items
    10.  
      Downloading the original versions of items
    11.  
      Copying the item list to the Clipboard
    12.  
      Changing how the Review pane looks
    13.  
      Setting your Review pane preferences
  4. Working with research folders
    1.  
      About research folders
    2.  
      Creating research folders
    3.  
      Reviewing the items in research folders
    4.  
      Exporting items from research folders
    5.  
      Giving other users access to your research folders
    6.  
      Copying items to research folders
    7.  
      Converting research folders into cases
  5. Exporting and producing items
    1. About exporting and producing items
      1.  
        Limitations on exporting certain types of content
    2.  
      How exporting differs from producing
    3.  
      Performing an export or production run
    4.  
      About the limits on the number of simultaneous export and production runs
    5.  
      Making the export IDs or Bates numbers visible in Microsoft Outlook
  6. Creating and viewing reports
    1.  
      About the Discovery Accelerator reports
    2.  
      Creating Discovery Accelerator reports
    3. Available Discovery Accelerator reports
      1.  
        Archive Source report
      2.  
        Case History report
      3.  
        Export Run Duplicates report
      4.  
        Item Detail report
      5.  
        Legal Holds report
      6.  
        Production Run report
      7.  
        Production Run Duplicates report
      8.  
        Productions report
      9.  
        Searches report
      10.  
        Security report
    4.  
      Viewing existing reports
    5.  
      Deleting reports
    6. About viewing Discovery Accelerator datasets using the OData web service
      1.  
        Available Discovery Accelerator datasets
      2.  
        Accessing the Discovery Accelerator datasets
      3.  
        Using the OData service with Microsoft Excel
      4.  
        Using the OData service with Microsoft SQL Server Reporting Services (SSRS)
      5.  
        Troubleshooting OData errors
  7. Appendix A. Enterprise Vault properties for use in Discovery Accelerator searches
    1.  
      About the Enterprise Vault search properties
    2.  
      System properties
    3.  
      Custom Enterprise Vault properties
    4.  
      Custom Enterprise Vault properties for File System Archiving items
    5.  
      Custom Enterprise Vault properties for SharePoint items
    6.  
      Custom Enterprise Vault properties for Compliance Accelerator-processed items
    7.  
      Custom properties for use by policy management software
    8.  
      Custom properties for Enterprise Vault SMTP Archiving

About the search criteria options

Discovery Accelerator groups the search criteria options into multiple sections, which are described below. Click the arrow icons at the right to expand or collapse the sections.

When you construct a search that contains multiple options, pay attention to how each option interacts with the others in the search properties pane. Discovery Accelerator links all the selected options together with Boolean AND operators rather than OR operators. For example, suppose that you construct a search whose criteria include the following:

  • A data range in the Date range section

  • A search term in the Search terms section

  • A file extension in the Attachments section

The search results contain only those items that match all the search criteria. Discovery Accelerator ignores any items that match some of the search criteria options but not others.

The search properties pane has the following sections:

Search section

The Search section identifies the search and specifies when it runs.

Context

Identifies the case or research folder in which the search runs. When the folder is not linked to any case, "My Research" appears.

Name

Specifies a name for the search, such as "Daily Message Capture (London)".

Based on Search

Lets you select an existing search as the basis on which to set the criteria for the new search.

Save results in

If displayed, lets you select a location in which to save the results. Select New folder in <Context> in the drop-down list if you want to specify the details of a new folder in which to save the results.

This option is available only when you create a search in a folder that is not linked to any case (you have selected "My Research" in the left pane).

Search Type

Specifies whether the search runs immediately or at a scheduled time. If you select Scheduled, you can specify a period during which the search is to run. You can also choose from one of a number of existing schedules.

Automatically accept search results

Specifies whether to add the search results to the review set automatically. This option may be useful for any proven searches that you intend to run on a regular basis. If you select Automatically accept search results, you cannot reject the results and change the search criteria. We recommend that you clear Automatically accept search results until you have tested that the search returns the expected results.

A search that returns an error from any archive is not automatically accepted, regardless of this setting.

Include items already in review

Specifies whether the search results can include the items that you have previously captured and added to the review set. For an immediate search or scheduled search, we recommend that you select this box to ensure that the results include the items that may already be in review from other searches.

Date range section

The Date range section lets you search for items according to when they were sent or received.

Today / Yesterday / Last 7 days / Last 14 days / Last 28 days

Limits the search to items that were sent or received during the selected period. The date ranges are relative to when the search runs, which is today in the case of an immediate search.

You may find these options useful when creating a scheduled, recurrent search that runs once every day, week, two weeks, or four weeks. For example, if the search runs once a week, select Last 7 days to limit the range to the days since the search last ran.

Specific date range

Lets you search the items that were sent or received during a longer or more specific period than the other date range options permit. To enter a date, click the options at the right of the From and To boxes and then select the required date. Unlike the other date range boxes, a specific date range remains static and not relative to when the search runs.

Select Use Historical Information for Custodians and Custodian Groups to use both the current information and historical information for custodians and custodian groups in the search. If you clear this option, Discovery Accelerator uses only the current set of custodians, groups, and email addresses. Any users or groups whose names or email addresses have changed, or who have been deactivated for some reason, are excluded from the search.

Since search last ran

For a scheduled search only, lets you search the new items that have arrived since the last time you ran the search. This option is similar to options such as Today and Yesterday. However, it lets you set an explicit start date for the first run of the search.

By default, this option searches from the date of the last run (or the start date for the first search) to the current day minus 1 (that is, up to yesterday).

Search terms section

The Search terms section specifies the words or phrases for which Discovery Accelerator should search in items. Click Add search term to add each word or phrase for which you want to search. Note the following:

  • Discovery Accelerator searches are case-insensitive.

  • Regular expressions are not permitted.

  • To search for a phrase, enclose the words in quotation marks.

    For example, you can search for all items whose subject lines contain the phrase "organizational changes" by defining a search term like this one:

    SUBJ: "organizational changes"

    Discovery Accelerator considers the file names of message attachments to be their subjects. So, the preceding search term finds both items that contain the phrase "organizational changes" in their subject lines and attachments that have this phrase in their file names.

  • If you type multiple words on the same line, Discovery Accelerator finds all items that contain any of the words or phrases on the line.

    Note that you must separate all the words in the search term with spaces. The following search term does not return the expected results because there is no space between the words "changes" and "license" - and consequently Discovery Accelerator searches for items that contain one or more of the following words: "organizational", "changeslicense", and "agreements".

    SUBJ: "organizational changes""license agreements"

    Similarly, the search terms license;agreements and license; agreements differ because, in the second case, a space follows the semicolon. The presence of the space causes Discovery Accelerator to find the items that contain either word, whereas the absence of the space causes Discovery Accelerator to treat the search term as a phrase.

  • Press the Return key in a search box to add another line to it. If you type multiple lines in a search box, choose Any of or All of in the left box to determine whether OR or AND conditions connect the lines.

  • To add the details of email targets or custodians to the From box or To box, click the Targets and custodians button at the right of the box.

    Targets and custodians button

    Note:

    If you specify as a target or custodian a Domino user whose details you synchronize with a Domino directory, you must ensure that this user has an SMTP address defined in the Domino directory. Otherwise, the search fails to find the matching items. Alternatively, you can search for such users by their display names.

  • Use the fields in the Custodian Manager options area to specify how to search for custodians or custodian groups. You can choose to search email addresses, display names, or both email addresses and display names. If you select Use Email Addresses and Display Names, a custodian or custodian group must have either a matching email address or a matching display name to meet the search criteria; it does not need to have both.

    Select Include member addresses for distribution lists if you want Discovery Accelerator to search not only the display name and email address of a custodian group but also the email addresses of all the members of the group.

    The conditions that you enter in the Custodian Manager options area use the custodian information that is available at the time that you build the search. This information is not updated unless you edit the search again. For example, when you create a search and select the option Include member addresses for distribution lists, the list members at that time are saved with the search. If the membership of the list changes later, these changes are not applied to the search until you edit and save it again.

  • Place the plus sign (+) in front of a word or phrase to connect it to every other word or phrase on the line with a Boolean AND condition. This sign instructs Discovery Accelerator to treat the specified word or phrase as required criteria. For example, the following search string means "(server AND test) OR (group AND test) OR (cluster AND test)":

    [Any Of] server group +test cluster

    In the following example, the search string means "(server AND test AND group) OR (cluster AND test AND group)"

    [Any Of] server +group +test cluster

  • Place the minus sign (-) in front of a word or phrase to connect it to every other word or phrase on the line with a Boolean AND NOT condition. This sign instructs Discovery Accelerator to exclude from the result set those results that match the other search criteria and contain the excluded term. For example, the following search string means "(server AND NOT test) OR (group AND NOT test) OR (cluster AND NOT test)":

    [Any Of] server group -test cluster

    In the following example, the search string means "(server AND cluster AND (group AND NOT test))":

    [All Of] server
         cluster
         group -test

    A search term cannot comprise an excluded word or phrase only. When you specify such words or phrases, you must also specify a positive word or phrase that you want to appear in the search results.

  • You can use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character.

    A wildcard search always finds items that match your search criteria and that were archived in Enterprise Vault 10.0 or later. To ensure that the search results also include items that Enterprise Vault 9.0 or earlier has archived, enter at least three other characters before the wildcard. For example, the following search string returns hits for the words "make", "maker", "making", "wonder", "wondering", and so on:

    [Any Of] mak*
         Wonder*

    You can include wildcard characters in the email addresses that you specify in a From box or To box. The following example finds items from users with an email address that includes "@acme.uk" or "@acme.hk":

    [Any Of] @acme.?k

    However, you cannot use either wildcard character after a special character, such as the ampersand (@). For example, the search string "@?cme.uk" does not produce the expected results.

  • Discovery Accelerator ignores any nonalphanumeric characters in the search term, except for those that have special significance, such as the plus sign, minus sign, and question mark.

    For example, a search for the term US@100 may find instances not only of US@100 but also of US 100 and US$100. Including nonalphanumeric characters in the search term may therefore return more results than you expect.

Archives section

Note:

This feature is available only if you have the Select Archives in Search permission in the case.

The feature is not available when you define the criteria for a scheduled search; you can use it when you set up immediate searches only.

The Archives section lets you restrict the scope of a case-level search or folder-level search to certain archives only. By default, Discovery Accelerator searches all the archives in the vault stores that you have selected for the case. However, this may be undesirable and time-consuming if Discovery Accelerator must search many thousands of archives unnecessarily.

To select the archives in which to search

  1. Click Search these archives.
  2. Click the Archive Picker option at the right.
  3. In the Select Archives dialog box, select the required archives.

    You can select up to 5000 archives from the case-level archive list.

  4. Click Apply.
Attachments section

The Attachments section lets you search for items with a certain number or type of attachments.

Number

Specifies the required number of attachments. The default option, "Does not matter", means that the item can have zero or more attachments. All the other options require you to type one or two values that specify the required number of attachments.

File extensions

Specifies the file name extensions of particular types of attachments for which to search. Separate the extensions with space characters. For example, type the following to search for items with HTML or Microsoft Excel file attachments:

.htm .xls

This search option evaluates attachments by their file names only; it does not check their file type. For example, suppose that a user changes the file name extension of a .zip file to .zap and then sends the renamed file as an email attachment. A Discovery Accelerator search for items that have attachments with a .zip extension does not find the email with the renamed attachment.

The contents of some attachments may not be searchable because Enterprise Vault has not indexed them. In particular, file formats such as Fax and Voice do not have any indexable content.

For more information on how Discovery Accelerator conducts searches in which you have specified file name extensions, see the following article on the Veritas Support website:

http://www.veritas.com/docs/000016765

Miscellaneous section

The Miscellaneous section lets you search for items of a certain size and type or that have the specified retention category.

Message size

Specifies the size in kilobytes of each item for which to search, as reported by the message store (Exchange, Domino, and so on). The item size includes the size of any attachments.

Message type

Searches for items of the selected types.

Include only non-indexed items

Lets you search for the unindexed items that do not normally appear in the search results, such as binary files and encrypted mail items.

If you select this option, you must leave the Content field empty.

Retention category

Searches for items to which Enterprise Vault has assigned the selected retention categories.

Policies section

The Policies section lets you search for items according to the tags with which any additional policy management software has classified them.

Policy

Lets you search for the items that match certain classification policies. There are several types of policies:

  • Inclusion. Any item that your policy management software has classified for inclusion in the review set may be guilty of the most serious offenses, such as swearing, racism, or insider trading. You would normally want to ensure that the items exhibiting any of these features were included in your review set.

  • Exclusion. Spam items and newsletters are typical examples of the items that your policy management software may classify for exclusion from the review set.

  • Category. Your policy management software may categorize the items that exhibit certain characteristics, such as containing Spanish text. This type of policy provides no information on whether an item should be included in or excluded from the review set.

These policy types are not mutually exclusive. Your policy management software may apply multiple policies of different types to the same item. However, note that inclusion policies always take precedence over the other types of policies.

Select the required policy type and then select the names of the policies for which you want to search. Alternatively, you can select Custom as the policy type and then type the names of one or more policies. Separate multiple policy names with commas, like this:

CustomPolicy1,CustomPolicy2

If you choose to search for multiple policies, the search results will contain items that match any one of the policies.

Filter policies by current case

Lets you omit from the list those policies that are not in use in the current case.

Custom attributes section

The Custom attributes section lets you search for the items that have the specified attributes. When Enterprise Vault processes an item, it populates a number of the item's attributes with information and stores this information with the archived item. Some third-party software may also attach additional attribute information to items. If you know the name of an attribute that interests you, you can enter its details here as a custom attribute.

Note the following:

  • If you enter the details of several attributes, use the options in the Attribution inclusion box to determine whether the search results should match any of the attributes or all of them.

  • For attributes that accept string values, you can add the details of email targets or custodians by clicking the Targets and custodians buttons at the right of the boxes.

    If you set Custodian Manager options to Use Email Addresses and Display Names, it is important to understand how Discovery Accelerator processes the details of any custodian that you enter in a custom attribute field. Discovery Accelerator links the custodian's email address to the display name with either a Boolean AND operator or an OR operator, depending on what you choose in the Operator box. For example, with Operator set to All, only items that match both the custodian's email address and the display name meet the search criteria; an item that matches just one of these details does not meet the search criteria. Set Operator to Any to link the email address and display name with an OR operator. Then any item that matches at least one detail (but not necessarily both) meets the search criteria.

  • To search for attribute information that third-party software has added to the X-Headers of SMTP items, add the prefix EVXHDR. to the name of the required attribute. For example:

    EVXHDR.X-CompanyID

    The attribute name and value are case-sensitive.

  • Do not enclose attribute values in quotation marks if you want to indicate that they are phrases. Instead, select Phrase as the operator for these attributes, if you have a choice. Alternatively, you can indicate that an attribute value is a phrase by replacing all the spaces with periods, as follows:

    sample.attribute.value

    This technique lets you specify multiple phrase values for the same custom attribute. For example, consider the following attribute value:

    Enterprise.Vault.Service.Account system DA.Administrator

    This value matches "Enterprise Vault Service Account", "system", and "DA Administrator".

More Information

About the Enterprise Vault search properties