BlackLight uses an implementation of Elastic search for smart indexing. By default, searching the index, typically called querying the index, will look across all the fields/documents that have been indexed. Additional functionality has been built in to allow examiners to further specify which files they are interested in. Common searching techniques and examples are summarized below.
When searching the index, users enter a query string that is interpreted by the index engine into a series of terms and operators.
A term can be a single word — quick or brown — or a phrase, surrounded by double quotes — "quick brown" — which searches for all the words in the phrase, in the same order. By default, entering only terms will search the index for any items that contain one or more of those words, exactly as you enter it in the search field. In addition, index searching is not case sensitive.
Operators allow you to customize the search — the available options are explained below.
|
Query Options |
Operator |
Example query string |
Result |
|
AND Used to indicate both terms on either side of the AND must be present in the item |
AND |
quick AND brown |
A file with the phrase “the quick brown fox” or “the brown fox is quick” would both be found by this query |
|
OR Used to indicate at least one of the terms on either side of the OR must be present in the item |
OR |
quick OR brown |
A file with the phrase “the quick fox” or “the brown mouse” would both be found by this query |
|
NOT Used to the term after the NOT is not located in the item |
NOT |
quick NOT brown |
Returns files with the qord quick but that do not have the word brown in the file |
|
Grouping Terms In order to build complex queries, users can group terms and operators |
() |
(quick AND brown) OR (slow AND steady) |
Returns files with either the words quick and brown or the terms slow and steady. |
|
Wildcard Typically used at the end of a term to indicate find any words that start with these letters |
* |
bro* |
Both items with brown and browns would return a hit |
|
Replace One Character Locate files with where the ? can be any single character. |
? |
qu?ck |
Both quick and quack would have a hit, but not quaeck |
|
Proximity Allows users to specify a maximum distance of words in a phrase. In addition, they can be in any order |
~distance number |
“fox quick”~5 |
Items with “quick brown fox” or “fox is running very quick” would both return hits since they are within 5 words. |
|
Date Searching Locates only items within the date or date range. Can be combined with other terms to find files within a date range and with terms |
date:[YYYY-MM-DD TO YYYY-MM-DD] |
created: [2000-01-01 TO 2020-12-31] |
Locates files with a created date between January 1st, 2000 and December 31st 2020 |
|
Path Searching Locates only items specific terms in the path |
path:(“term”) |
path:(”SMS”) |
Locates files where the Path field contains SMS |
|
Metadata Field Searching For any other metadata fields, can search for specific values in that field |
“Metadata field: term” |
“Device Model: iPhone 4” |
Locates files where the Device model metadata field matches iPhone 4 exactly |
Date and Number Ranges
Ranges can be specified for date, numeric or string fields. Inclusive ranges are specified with square brackets [min TO max] and exclusive ranges with curly brackets {min TO max}.
|
Range option |
Example Operator |
Result |
|
Date range inclusive All days in a range including the first and last specified |
created:[2019-01-01 TO 2019-12-31] |
All Files with a created date in 2019 |
|
Number Range All numbers in a range including the first and last specified |
Count: [1 to 5] |
Files where the metadata field “Count” has a value of 1, 2, 3, 4, or 5 |
|
Items Before a Specified Date Use the wildcard to indicate any time before a specific date |
created: {* TO 2019-01-31} |
All Files with a created date before January 31st 2019 |
|
Items After a Specified Date Use the wildcard to indicate any time before a specific date |
created: {2019-01-31 TO *} |
All Files with a created date after January 31st 2019 |
The results of the query can be seen in the 'Content Pane.' Highlight a result in the list of files returned and the hit will appear in the highlighted hit area. The entire file will be displayed in the 'File Content Viewer' with the search term hits highlighted. Multiple files can be highlighted in the list of files returned, multiple hits will appear in the highlighted area.
The index can also be searched using standard Lucene query syntax, along with most Lucene search operators and term modifiers. For more advanced options on Elastic search operators and term modifiers, see the Elastic Documentation.