Advanced search¶
Advanced search enables precise queries using multiple filters, logical operators, and over 50 searchable fields. Use advanced search to narrow or expand results based on specific criteria.
Query with IrisQL
IrisQL provides a text-based query language for Advanced Search. Build queries as code, copy/paste them between applications, and toggle between IrisQL and the visual interface.
Access advanced search¶
- Navigate to the Iris Investigate search interface.
- Select the Advanced button next to the search box.
- The advanced search panel opens with filter options.
Add filters¶
- Select Add Filter in the advanced search panel.
- Choose a field from the dropdown (for example, Email, IP Address, Registrar).
- Select a match operator (for example, Matches, Contains, Greater Than).
- Enter your search value.
- Repeat to add additional filters.
Combine filters with logical operators¶
Use logical operators to combine multiple filters:
- AND: Narrows results by requiring all conditions to match.
- OR: Expands results by matching any condition.
Example: Search for domains with email:"admin@example.com" AND registrar:"GoDaddy" to find domains registered by that email at GoDaddy.
Maximum filters¶
Iris Investigate supports a maximum of 1024 filters per advanced search.
Historical search toggle¶
Three fields support historical search:
- Email: Search historical email addresses.
- Registrant: Search historical registrant information.
- WHOIS Record: Search full text of historical WHOIS records.
By default, the system enables historical search for these fields. To override this behavior for a specific search:
- Open the advanced search panel.
- Locate the history icon next to supported fields.
- Toggle historical search on or off.
- Run your query.
Important: Historical search can return domains that don't currently match your query. These domains matched your criteria at some point in their history. To see when a domain matched, select See Historical Matches in the domain's WHOIS History.
For global historical search settings, see Settings.
Match operations¶
Match operations determine how your search query compares against stored data. Understanding these operations helps create precise searches.
Tokenization¶
Many match operations use tokenization to analyze text. When searching for help-facebook.com, the system breaks it into tokens: help and facebook.com. Similarly, this is an example becomes: this, is, an, and example.
Some operations use these tokens to match records (such as Matches and Contains), while others perform exact string matching without tokenization (such as Exactly Matches).
String matching operations¶
| Operation | Tokenization | Logic | Description | Example with help-facebook.com |
|---|---|---|---|---|
Begins With |
No | N/A | Field value starts with the specified string | Matches domains starting with help-facebook.com |
Ends With |
No | N/A | Field value ends with the specified string | Matches domains ending with help-facebook.com |
Contains |
Yes | OR | Returns records containing any token. More permissive than Contains All |
Returns records with either help OR facebook.com |
Contains All |
Yes | AND | Returns records containing all tokens. Tokens don't need to be in specific order or adjacent | Returns records with both help AND facebook.com |
Matches |
Yes | AND | For text fields, returns records containing all tokens (case-insensitive). For quantitative fields, works as "Equal To" | Returns records with both help AND facebook.com |
Exactly Matches |
No | N/A | Precise, exact string match without tokenization. Case-insensitive | Returns only records with exact string help-facebook.com |
Does Not Contain |
Yes | OR (exclusion) | Excludes records containing any token. More restrictive than Does Not Contain All |
Excludes records with either help OR facebook.com |
Does Not Contain All |
Yes | AND (exclusion) | Excludes records only if all tokens are present. Returns records missing at least one token | Excludes only records with both help AND facebook.com |
Does Not Match |
Yes | AND | Returns records where at least one token is missing | Returns records without both help AND facebook.com |
Does Not Exactly Match |
No | N/A | Returns records without exact character-for-character match. Case-insensitive | Returns records without exact string help-facebook.com |
List matching operations¶
| Operation | Description |
|---|---|
In |
Field value matches any value in a specified list |
Not In |
Field value doesn't match any value in a specified list |
Exactly In |
Field value exactly matches any value in a specified list (case-sensitive) |
Not Exactly In |
Field value doesn't exactly match any value in a specified list |
Existence operations¶
| Operation | Description |
|---|---|
Exists |
Field contains any value |
Does Not Exist |
Field is empty or not present |
Comparison operations¶
| Operation | Description |
|---|---|
Greater Than |
Field value is greater than the specified value |
Greater Than or Equal To |
Field value is greater than or equal to the specified value |
Less Than |
Field value is less than the specified value |
Less Than or Equal To |
Field value is less than or equal to the specified value |
Drag and drop from Pivot Engine¶
Quickly build advanced searches from Pivot Engine data:
- Open the advanced search panel.
- Drag a value from the Pivot Engine.
- Drop it into the advanced search panel.
- Iris Investigate automatically creates a filter with the appropriate field and value.
Available search parameters¶
For a complete list of searchable fields, accepted operators, and shortcodes, see Search Reference.
Search results¶
After executing an advanced search, use the Pivot Engine to explore connections:
- Pivot on values: Right-click any data point to create new searches based on that value. Learn more about pivoting techniques.
- Guided pivots: Iris Investigate highlights promising pivot points that lead to 500 or fewer domains. See Guided Pivots for details.
- Historical pivots: Filter pivots by time period to focus on specific timeframes. Learn about Historical Pivots.
Next steps¶
- Search Reference: Complete field and operator reference.
- Flexible Search: Pattern-based domain discovery.
- RDAP in Search: Search RDAP vs WHOIS data.
- Pivoting: Explore connections from your results.
- IrisQL: Text-based query language for advanced users.