Using Inline Search
Inline search provides an additional mechanism to filter emails after they have been downloaded and before they have been written to disk.
Inline Search v. In-place Search
FEC's In-place Searches are performed directly on the email server. In-place searches are generally very fast as FEC does not actually download the emails or make its own search index to be able to search them. Instead, it passes your search query to the email server and retrieves a list of the results for you to preview and/or acquire.
On the other hand, inline searches are offline searches that are executed against an in-memory searchable index that is created after the email message is downloaded. Inline searches are typically more powerful than in-place searches but take significantly longer to perform on an entire mailbox.
Inline Search Use Cases
Main use cases for inline search include:
- Working around in-place search limitations of an email provider such as limited syntax or lack of in-place search support
- Working around in-place search caps imposed by providers
- Bringing search capabilities to a common denominator when acquiring mailboxes from multiple providers within the same project
- Scanning emails for complex data points such as personally identifiable information (PII) using regular expressions
Inline Search Options
Exceptions will be treated as responsive (default: OFF) Choosing this option causes FEC to treat indexing/search exceptions as responsive. In other words, if the email and/or its attachments could not be searched, it would be treated as responsive and included in FEC's output.
Only metadata will be searched (default: OFF) Choosing this option causes FEC to not extract text but only use metadata. This can be used to speed things up if your inline search only relies on metadata such as dates.
Only parent email will be searched (default: OFF) Choosing this option causes FEC to skip indexing attachments of the email. This can be used if you wish to limit the search to the parent emails only.
Accented Characters will be Normalized (default: OFF) This option controls whether or not the search index is sensitive to accented characters. For example, when the option is turned off, finding the string résumé requires searching for the string résumé. When the option is turned on, searching for resume would also find occurrences of the string résumé.
Inline Search Syntax
Phrases
In order to treat a term as a phrase, enclose it in double quotes. Example:
"contract dispute"
Field Searches
You can restrict your query to a specific field by typing the field name followed by a colon. Otherwise, the search will be performed on the contents field. All field names should be typed in lowercase. Example:
from:hello@metaspike.com
Fields
The following fields are supported:
| Field | Description |
| from | The sender of the email. |
| to | The recipient(s) of the email. |
| cc | The carbon copy recipients of the email. |
| bcc | The blind carbon copy recipients of the email. |
| subject | Email subject. |
| attachmentnames | Names of the attachments of the email. |
| messageid | Message-ID of the email as defined in RFC 5322. |
| headers | MIME headers of the email. |
| contents | A combination of the extracted text and metadata of the email. If the option to include attachments in the inline search was selected, this field also covers the text and metadata extracted from the attachments of the email. This is the default field that is searched when no field is specified. |
| earliestdate | The earliest timestamp identified within the email. If the option to include attachments in the inline search was selected, timestamps encountered in the attachments of the email are also taken into account. |
| latestdate | The latest timestamp identified within the email. If the option to include attachments in the inline search was selected, timestamps encountered in the attachments of the email are also taken into account. |
| received | The received date of the email if it has trace headers. |
| sent | The origination date of the email. |
| startdate | The start date of a calendar event. |
| enddate | The end date of a calendar event. |
| itemclass | The Item Class of the acquired item in Exchange (EWS) acquisitions. |
| fscreationdate | Internal date or creation date server metadata where applicable. |
| fsmodificationdate | Modification date server metadata where applicable. |
Date Searches
Date searches are performed as follows:
sent:[2021/01/20 TO 2022/03/14]
The above query would search for emails whose origination date is between January 20, 2021 and March 14, 2022.
When higher precision is desired, timestamps can be provided in full including the time component in 24-hour format. In this form, the timestamps should be enclosed in double-quotes. Timestamps are specified in UTC.
Example:
sent:["2021/01/20 13:51:05" TO "2022/03/14 14:45:13"]
Boolean Operators
The AND, OR, and NOT Boolean operators are supported. When no Boolean operator is specified between terms, the AND operator is used. Boolean operators must be in all caps.
Negative Searches
If you have both positive and negative terms, you can compose your search using the <positive terms> NOT <negative terms> structure. For example:
subject:documents NOT subject:business
If you do not have any positive terms (i.e., your entire search is a negative search), then you can compose your search as follows:
*:* NOT subject:business
Regular Expression Searches
When performing regular expression searches, the regex pattern should be enclosed between forward-slash ("/") characters. Example:
/m[ae]ssage/ would find documents containing massage or message .
Wildcard Searches
The * wildcard serves as a multiple-character wildcard while the ? character serves as a single-character wildcard. Example:
pro?e would match prove and probe
exam* would match exam , examine , and example
Proximity Searches
Proximity searches can be performed using the ~n syntax. Example:
"contract dispute"~5 would search for instances where contract and dispute are within 5 words of each other.
Fuzzy Searches
Fuzzy searches match terms based on the Damerau-Levenshtein distance. In order to perform a fuzzy search, use the ~ symbol at the end of a single-word term. The default allowed distance is 2.
Example:
position~ would match position , positive , and potion as all three terms are 2 Edit Distances (default) apart.
If you would like to specify the maximum allowed Damerau-Levenshtein distance, enter it following the ~ . For example:
position~1 would not match positive or potion , but it would match positron
Grouping
Subqueries can be grouped using parentheses. Example:
(dispute OR conflict) AND contract
Grouping can also be performed within a field. Example:
subject:(vehicle AND theft) would search for documents where both vehicle and theft are present in the subject field.
Example Searches
"contract dispute" OR "intellectual property" OR inspect* searches for two phrases and a wildcard term in the default (contents) field.
subject:mike attorney searches for documents whose subject contains mike and the default field (contents) contains attorney . Because a Boolean operator is not specified, the AND is implied.
headers:/74\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/ AND "intellectual property"~2 searches for emails with IP addresses in their MIME headers that start with 74., and contain intellectual and property within two words of each other.
messageid:"614132532.2689721.1583268318358@mail.yahoo.com" searches for emails with a specific Message-ID.
Layered Searches
It is possible to combine Inline Searches with In-place Searches and Differential Acquisitions. For instance, if target mailboxes are to be filtered using a date restriction as well as a set of complex keywords, the date restriction can be performed as an in-place search, which would reduce the data size very quickly, and the keyword search can be performed as an Inline Search within the same acquisition.
Supported Attachment Types
The following types of attachments are currently supported:
eml, msg, xls, xlsx, pdf, pptx, doc, rtf, docx, zip, tar, xz, lzma, gz, bz2, rar, 7z, deb, ar, a, lib, iso, vhdx, vhd, wim, swm, esd, vmdk, text-based files (e.g., txt, log, csv, tsv, etc.), HTML, XML, ics, vcf
Are Documents OCRed?
FEC does not perform optical character recognition (OCR) on email attachments that are missing extractable text.