Search content in a review set in eDiscovery

In most cases, it's useful to dig deeper into the content in a review set and organize it to facilitate a more efficient review. By using filters and queries in a review set, you can focus on a subset of documents that meet the criteria for your review.

Query content in a review set

The eDiscovery review set provides a querying experience that you can use to build flexible queries for review sets. The querying experience enables you to:

• Quickly search for review set content matching certain conditions.
• Create complex queries by using AND or OR conditions in KeyQL.
• Manage saved filters without going to another area and easily change your queries by loading saved queries.

To query content in your review set, use the following controls:

• Select Query in the toolbar or the blue bubble above the toolbar. Any applied query also appears here above the toolbar.
• Keyword condition automatically populates for any new query.
• AND/OR: These conditional logical operators enable you to select the query condition that applies to specific filters.
• Add conditions: Enables you to add multiple conditions to your query.
• Select an operator: Depending on the selected filter, the operators compatible with the filter are available to select. For example, if you select the Date filter, you see the available operators Before, After, and Between. If you select the Size filter, you see the available operators Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
• Value: Depending on the selected filter, the values compatible with the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if you select the Date filter, you select date values. If you select the Size (in bytes) filter, you select a value for bytes.
• Clear a condition value: To clear the value inside a condition, select the X to the right of each condition line.
• Remove a filter condition: To remove an individual filter or subgroup, select the Delete icon to the right of each condition line.
• Clear all: To clear the entire query of all conditions and their values, select Clear all.
• Save: Saves the current conditions into a saved query by giving it a name.
• Load saved filters: Saved filters allow you to load any saved queries and overwrite existing query that is built.
• Run query: For any manually built conditions or opened saved filters, select Run query to apply the query to the review set. The last run query is retained and is available the next time you open the review set, even after you exit.
• Hide and show query: use hide and show button to expand and collapse the query section.

Condition types

Every searchable field in a review set has a corresponding condition that you can use to filter items based on a specific property.

There are multiple types of filters:

• Free-text: A free-text condition is applied to text fields such as Subject. You can list multiple search terms by separating them with a comma.
• Date: A date condition is used for date fields such as Last modified date.
• Search options: A search options condition provides a list of possible values (each value is displayed with a checkbox that you can select) for particular fields in the review. This condition is used for fields, such as Sender, where there's a finite number of possible values in the review set.

• Keyword: A keyword condition is a specific instance of free-text condition that you can use to search for terms. You can also use Kusto-like query language in this type of condition. For example user can type red AND blue in a keyword condition grid, run the query and get all items in the review set that has both the word "red" and the word "blue". The matched keywords are also highlighted in the plain text view in the preview pane.

Save and manage filter queries

After you build your conditions, save the condition combination as a filter query. This saved filter query lets you apply the same query in future review sessions.

To save, select Save and give it a name. You or other reviewers can run previously saved filter queries by selecting the Saved filter dropdown and selecting a filter query to open and click run query to apply review set documents.

To edit or delete a saved filter query, select Saved filter and mouse over the saved filter and choose Edit and Delete options for the saved filter query.

Use query language support for KeyQL and Keyword filters

When you use the KeyQL or Keyword filters, you can use a Kusto-like query language to build your review set search query. The query language for these two filters supports standard Boolean operators, such as AND, OR, NOT, and NEAR. It also supports a single-character wildcard (?) and a multicharacter wildcard (*).

Scenario examples

Filter for untagged items in a review set

An eDiscovery administrator needs to create a query to find all items in the review set without any tagging applied. For this example, the administrator creates the following review set query:

1. For the first condition, the administrator selects Add conditions and searches for the tag condition. The Tags condition is displayed as a matching option. The administrator selects it and selects Apply.
2. The administrator then selects Is empty operator for the Tags condition.
3. The administrator selects Run query.

This review set list is updated to show all items that don't have any tags applied.

Filter for native file type items in a review set

An eDiscovery administrator needs to create a query to find all items in the review set that are a certain type, such as .csv, .msg, or .pdf. For this example, the administrator creates the following review set query:

1. For the first condition, the administrator selects Add conditions and searches for the file in condition search. The condition Native file extension is one of the options displayed in the search results. The administrator selects it and selects Apply.
2. The administrator then selects the Equals any of operator.
3. The administrator selects the value box and chooses the file types in the dropdown such as csv to include in the query.
4. The administrator selects Run query.

The review set is updated and only the items that match the selected file types are displayed.

Filter partially indexed items

If you select the option to include partially indexed items when you add the search to a review set, you probably want to identify and view those items. You can determine if an item might be relevant to your investigation and whether you need to fix the error that resulted in the item being partially indexed.

1. Select Add conditions in the query building space.
2. Find the condition KQL and select Apply.
3. Keep the operator as Equal and type AddedBy in the KQL editor box. You can filter out items added to the review set by applying the KQL of AddedBy=UnindexedQuery.
4. Select Run query.

The review set is updated and only the items that match the partially indexed query are displayed.

Filter documents by theme

Filtering documents by theme can save time when reviewing documents. For example, if you're looking for documents that discuss a particular subject, you can filter the documents by the dominant theme that relates to that subject. You can also filter documents by other themes in the theme list to find documents that are similar to a document that you're interested in. To display the themes for a document as a column in the document list for the review set, select Customize columns and select Dominant theme and Themes list.

To filter documents by theme, complete the following steps:

1. In a review set, add Dominant theme condition.
2. Select an operator to use with the Dominant theme and define the value to use with the operator.
3. Use an additional Themes list condition and the operator and values to apply to this filter. You can configure the AND and OR operators to filter documents by a combination of the Dominant theme and Themes list values.